保护与Facebook的OAuth一个REST API [英] Securing a REST API with Facebook OAuth
问题描述
我建立一个应用程序/ API,允许用户与Facebook,Twitter或谷歌登录。我想知道什么是允许这些用户使用相同的帐户登录到API的最佳实践。
- ,我有一对夫妇的想法是在一个头通过身份验证令牌/ cookie来的API为每个请求,并用它来在后端进行身份验证。
- 运行我自己的OAuth设置,使用户与后端认证一次,让我的OAuth令牌,并使用这些从那时起。
我做同样的事情,我的解决方案是,以匹配你从这些各自的API获得的电子邮件地址。
有关Facebook的,你需要从最终用户的特别许可来获得注册了的电子邮件地址。您可以通过添加&放做到这一点;范围=电子邮件来第一次的OAuth请求
一个缺点是,你需要从最终用户的此权限,他们可能会下降。另一个缺点是,用户需要使用谷歌,Facebook和Twitter相同的电子邮件地址。
一个优点是,用户的记录将自动合并,这样用户就可以直接访问所有的数据,如果他们在第一时间通过谷歌记录下来,并通过Facebook的第二次。
另一种方法是通过使他们登录到谷歌时,他们已经通过Facebook登录到手工合并他们的数据。然后你就可以断定它们是相同的用户,即使他们使用不同的电子邮件地址为。但是,这是一个比较繁琐的方法,因为你仍然需要从两个账户合并应用程序的用户数据。
I am building a app/API that allows user to login with Facebook, Twitter or Google. I am wondering what are the best practices in allowing those user to use the same account to login to the API.
- A couple Ideas that I have had is pass the auth token/cookie in a header to the API for every request and use that to authenticate on the backend.
- Run my own OAuth setup and make the user authenticate once with the back end to get my OAuth token and use those from then on.
I am doing the same thing and my solution is to match the email addresses that you get from these respective APIs.
For Facebook, you need special permission from the end user to get the email address registered there. You do this by adding &scope=email to the first oauth request.
A disadvantage is that you need to get this permission from the end user and they may decline. Another disadvantage is that users need to use the same email addresses for Google, Facebook and Twitter.
An advantage is that user records are merged automatically, so users can directly access all their data if they logged in the first time through Google, and the second time through Facebook.
Another approach would be to manually merge their data by making them log in to Google when they are already logged in through Facebook. Then you can conclude that they are the same user, even when they use different email addresses for both. But this is a more tedious approach, as you still need to merge the app's user data from both accounts.
这篇关于保护与Facebook的OAuth一个REST API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
