在Flask会话中存储oAuth状态令牌 [英] Storing oAuth state token in Flask session
问题描述
关于oAuth的一些教程使用Flask会话在Flask会话中存储状态参数和访问令牌。 (来自Pycon的Brendan McCollam的非常有用的演示文稿就是一个例子)
A couple of tutorials on oAuth use the Flask session to store state parameters and access tokens in the flask session. (Brendan McCollam's very useful presentation from Pycon is an example)
我了解Flask将会话存储在客户端的Cookie中,并且它们很容易公开(请参阅Michael Grinberg的 flask-user-session如何安全 。我自己尝试了一下,并能够看到令牌的到期时间,等等。
I understand that Flask stores the session in cookies on the client side and that they are fairly easy to expose (see Michael Grinberg's how-secure-is-the-flask-user-session). I tried this myself and was able to see the token the expiration, etc.
将状态和令牌存储在flask会话中是否正确,或者应该将它们存储在某个地方
Is it correct to store the state and tokens in the flask session or they should be stored somewhere else?
代码示例:
@app.route('/login', methods=['GET'])
def login():
provider = OAuth2Session(
client_id=CONFIG['client_id'],
scope=CONFIG['scope'],
redirect_uri=CONFIG['redirect_uri'])
url, state = provider.authorization_url(CONFIG['auth_url'])
session['oauth2_state'] = state
return redirect(url)
@app.route('/callback', methods=['GET'])
def callback():
provider = OAuth2Session(CONFIG['client_id'],
redirect_uri=CONFIG['redirect_uri'],
state=session['oauth2_state'])
token_response = provider.fetch_token(
token_url=CONFIG['token_url'],
client_secret=CONFIG['client_secret'],
authorization_response=request.url)
session['access_token'] = token_response['access_token']
session['access_token_expires'] = token_response['expires_at']
transfers = provider.get('https://transfer.api.globusonline.org/v0.10/task_list?limit=1')
return redirect(url_for('index'))
@app.route('/')
def index():
if 'access_token' not in session:
return redirect(url_for('login'))
transfers = requests.get('https://transfer.api.globusonline.org/v0.10/task_list?limit=1',
headers={'Authorization': 'Bearer ' + session['access_token']})
return render_template('index.html.jinja2',
transfers=transfers.json())
推荐答案
I认为有些教程在orde中过于简化r显示更简单的代码。一条很好的经验法则是,仅将会话Cookie用于仅应由您的应用程序和用户的浏览器知道并且不是私有的信息。通常,这会转换为会话ID并可能转换为其他非敏感信息,例如语言选择。
I think some tutorials over-simplify in order to show simpler code. A good rule of thumb is to use session cookies only for information that MUST be known by your application and your user's browser, and is not private. That normally translates into a Session ID and possibly other non sensitive information such as a language selection.
应用该经验法则,建议在每个令牌:
Applying that rule of thumb, I'd suggest the next to each of the tokens:
-
授权令牌:根据定义,该数据对于用户和应用程序都是已知的,因此将其暴露在cookie中应该不是安全问题。但是,一旦获得访问代码,实际上就不需要保留此令牌,因此我建议不要将其保存在本地或cookie中。
Authorization Token: this data is by definition known to both the user and the application, so it shouldn't be a security concern to expose it in the cookie. However, there really is no need to keep this token once you're given an access code, so I advice against keeping it locally or in your cookies.
访问密码:此数据必须被视为机密信息,并且只能由您的应用程序和提供者知道。没有任何理由让包括用户在内的任何其他方面都知道它,因此它不应包含在cookie中。如果需要存储它,请将其保存在本地服务器中(也许在数据库中,引用用户的会话ID)。
Access Code: this data must be considered secret, and must only be known by your application and the provider. There is no reason to make it know to any other parties, including the user, therefore it should NOT be included in cookies. If you need to store it, keep it locally in your servers (perhaps in your database, referencing your users session ID).
CSRF状态令牌:理想情况下,此数据作为隐藏表单字段包含在内,并针对服务器端变量进行了验证,因此cookie似乎是不必要的复杂化。但我不必担心此数据是否在cookie中,因为它仍然是响应的一部分。
CSRF State Token: this data is ideally included as a hidden form field and validated against a server side variable, so cookies seem like an unnecessary complication. But I wouldn't be concerned about this data being in a cookie, since it's part of the response anyways.
请记住,存在诸如flask-sessions之类的扩展,实际上,相同的代码使用服务器端变量而不是cookie变量。
Keep in mind there are extensions such as flask-sessions, with which practically the same code uses server side variables instead of cookie variables.
这篇关于在Flask会话中存储oAuth状态令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
