实施使用OAuth或其他接入 [英] Implementing access with oAuth or other
问题描述
我试图想办法来打开一个网站,其数据库与其他第三方网站,类似于Twitter的一部分,如何通过web应用连接到其数据库检索数据和可能的存储数据。
I'm trying to think of a way to open a website and part of its database to other third party websites, similar to how Twitter lets webapps connect to its database to retrieve data and possibly store data.
我最初的研究使我的OAuth(或者是它的OpenID?)。
My initial research led me to oAuth (or is it openID?).
我需要做的是让第三方网站登录到用户在网站上的帐户,但只能读取和写入属于他们的数据,并不能触及属于其他第三方网站的数据?
What I need to do is let the third party websites login to a user's account on the website, but only read and write data that belongs to them and not be able to touch data that belong to other third party websites?
我有点模糊的OAuth的细节。我是否需要建立某种形式的API或者是OAuth的我需要实现的唯一的事情?正如你所看到的,我不知道如何做那些谁更有专家将帮助这个让任何解释。
I'm a bit fuzzy of the details of oAuth. Do I need to create some sort of an API or is oAuth the only thing I need to implement? As you can see, I'm not sure on how to do this so any explanations from those who are more experts would help.
如果我实现的OAuth,将其他第三方网站能够从网站访问数据吗?
If I implement oAuth, will other third party websites be able to access data from the website?
我可以让其他第三方网站注册用户的主要网站,而无需访问主站用户?没有人认为这是一个坏主意?是/否?为什么?
Can I let other third party websites register the user to the main website without the user having to visit the main website? Does anyone think this is a bad idea? yes/no and why?
和如何OAuth的帮助我确保第三方网站不会读取与另一第三方网站/写/更改用户数据。
and how does oAuth help me make sure that a third party websites does not read/write/change user data related to another third party website.
我敢肯定,这比我想象的更容易,但我是新来的OAuth所以画面尚不清楚。
I'm sure this is easier than what I think, but I'm new to oAuth so the picture isn't clear yet.
推荐答案
首先,让我们清楚的是OAuth的和OpenID是两回事。 OpenID是用于身份验证仅。 OAuth是用于身份验证和授权。在这种情况下,授权指的是思想,一个客户端应用程序的批准即可访问和更新与验证的用户相关的数据。
First, let's be clear that OAuth and OpenID are two separate things. OpenID is intended for authentication only. OAuth is intended for authentication and authorization. In this case, authorization refers to the idea that a client application is authorized to access and update data associated with an authenticated user.
我需要做的是让第三方网站登录到用户在网站上的帐户,但只能读取和写入属于他们的数据,并不能触及属于其他第三方网站的数据?
What I need to do is let the third party websites login to a user's account on the website, but only read and write data that belongs to them and not be able to touch data that belong to other third party websites?
如果存储在每个第三方网站的数据是相互排斥的存储您的身份验证服务器上的数据,那么你可能要坚持使用OpenID。
If the data that is stored on each of the third party websites is mutually exclusive of the data stored on your authentication server, then you may want to stick with OpenID.
不过,如果你希望你的第三方网站更新关于应与所有其他第三方网站(即姓,名,街道地址,信用卡信息等)共享用户信息,然后你可能想要去与OAuth的。我知道有一个扩展的OpenID的规范,允许这样的事情(事实上,可以适应这个自己的实现),但是在一般意义上,这种东西在OAuth的所属。
If, however, you want your third party websites to update information about the user that should be shared with all the other third party websites (i.e. First name, Last name, Street address, Credit Card Information, etc.), then you may want to go with OAuth. I am aware that there is an extension to the OpenID spec that allows for this sort of thing (and indeed, you can adapt this to your own implementation), but in the general sense, this sort of stuff belongs in OAuth.
我是一个有点模糊的细节
OAuth的。我需要建立某种形式的
一个API或者是OAuth的我唯一
需要实现?
I'm a bit fuzzy of the details of oAuth. Do I need to create some sort of an API or is oAuth the only thing I need to implement?
除了请求令牌和授权使用OAuth服务器的客户端应用程序的初始细节,你就必须实现附加的方法来检索和更新有关身份验证的用户信息。例如,微博要求应用程序与特定的用户进行身份验证和授权更新用户的状态。该更新的状态的方法是他们的API的除了基座的OAuth实施的一部分。
Beyond the initial details of requesting tokens and authorizing the client application with the OAuth server, you would have to implement additional methods to retrieve and update information about the authenticated user. For example, Twitter requires your application to be authenticated with a particular user and authorized to update the user's status. That update status method is a part of their API in addition to the base OAuth implementation.
如果我实现的OAuth,将其他第三方
第三方网站可以访问数据
从网站?有谁想到
这是一个坏主意?是/否?为什么?
If I implement oAuth, will other third party websites be able to access data from the website? Does anyone think this is a bad idea? yes/no and why?
这些网站将只允许访问谁已与您的OAuth服务器进行身份验证的用户的数据和授权该网站访问他们的数据。但是,只有一个有效的主要消费者这些网站可以要求适当的令牌开始OAuth用户会话。因此,只有那些您已经授权的网站将被允许与服务器进行交互。
Those websites will only be allowed to access the data of the user who has authenticated with your OAuth server and authorized that website to access their data. However, only those websites with a valid Consumer Key can request the proper tokens to begin an OAuth session. So only those websites that you have authorized will be allowed to interact with your server.
有始终是这些令牌可以通过会话固定被劫持的机会。但是,关注的不应该从实施的OAuth服务prevent你。这并不意味着不担心。只是不要让这成为一个障碍。
There is always the chance that those tokens can be hijacked through Session Fixation. But that concern should not prevent you from implementing your OAuth service. That doesn't mean don't worry about it. Just don't let that be a roadblock.
我可以让其他第三方网站注册用户的主要网站,而用户不必访问主网站?
Can I let other third party websites register the user to the main website without the user having to visit the main website?
与当前规范通过OAuth的定义。背后的OAuth的想法是,你的用户在OAuth的服务器注册。您的第三方客户端使用该服务器作为身份验证点。这并不意味着你不能,但是,实现某种API,如果应用程序有一些高手帐户与登录(尽管这是它自己的安全风险)注册一个用户。它只是不建议使用。
Not with the current spec as defined by OAuth. The idea behind OAuth is that your users register at the OAuth server. Your third party clients use this server as an authentication point. This doesn't mean you can't, however, implement some sort of API to register a user if the application has some sort of "master" account to log in with (though this is it's own security risk). It's just not recommended.
和如何OAuth的帮助我确保第三方网站不会读取与另一第三方网站/写/更改用户数据?
and how does oAuth help me make sure that a third party websites does not read/write/change user data related to another third party website?
仅仅因为你使用OAuth并不意味着你的第三方网站无法将数据存储在自己的数据存储。无论Flickr和Twitter的报价OAuth的服务,但他们的服务器上存储既不彼此的信息(无Flickr照片能保存Twitter的数据库)。
Just because you use OAuth doesn't mean that your third party websites can't store data in their own data stores. Both Flickr and Twitter offer OAuth services, but neither store each other's information on their servers (no flickr photos get stored in Twitter's databases).
只要你不存储你的OAuth服务器上的特定于每个应用程序的信息,你应该不会有问题。记住,OAuth的服务器有没有验证用户和存储应该由所有应用程序共享的基本信息。我在这里重申,如果你想要做的是验证用户,然后坚持使用OpenID。
As long as you aren't storing the information specific to each application on your OAuth server, you shouldn't have a problem. Remember, the OAuth server is there to authenticate users and store the basic information that should be shared by ALL applications. I'll reiterate here, if all you want to do is authenticate the user, then stick with OpenID.
修改
我段的权限,当用户授权站点A,他没有将授权给他的充分考虑,而只是授予它访问他的帐户它自己的数据? OAuth的能做到这一点?
Can I segment the permissions such that when the user authorizes site A, he doesn't authorize it to his full account, but just authorizes it to access its own data on his account? Can oAuth do this?
在您的实现,就可以了。这将是检查与存取被用于访问的OAuth端点令牌相关联的消费者关键的问题。请记住,每次调用您的API的授权部分必须包括一个访问令牌。因此,它是有道理的,如果你想端点锁定到一个特定的应用程序,你会被访问令牌和消费者重点检查。
In your implementation, you can. It would be a matter of checking consumer key associated with the access token being used to access that OAuth Endpoint. Remember that each call to the authorized portion of your API must include an access token. So it makes sense that if you want to lock down that endpoint to a particular application you would check it by access token and consumer key.
这篇关于实施使用OAuth或其他接入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
