如何问私人浏览器会话的用户权限? [英] How to ask user permission in private browser session?
问题描述
我注意到谷歌的OAuth2 ,其中通过电子邮件反对实际连接到系统的帐户不同一个非常令人沮丧的局面。让我解释一下好,我写了这个方法,它要求用户权限访问我的应用程序对用户的私人谷歌日历:
I noticed a very frustrating situation on Google OAuth2 where the email passed is different against the account actually connected to the system. Let me explain better, I wrote this method that ask user permission for access my app to user private Google Calendars:
public static CalendarService OAuth(string userName)
{
string[] scopes = new string[]
{
CalendarService.Scope.Calendar,
CalendarService.Scope.CalendarReadonly
};
try
{
UserCredential credential = GoogleWebAuthorizationBroker.AuthorizeAsync(new ClientSecrets
{
ClientId = "client id Google Developer Console",
ClientSecret = "Secret key Google Developer Console"
},
scopes,
userName,
CancellationToken.None,
new FileDataStore("Stored.Token")).Result;
CalendarService service = new CalendarService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = "Application name"
});
return service;
}
catch (Exception ex)
{
Console.WriteLine(ex.InnerException);
return null;
}
}
现在有人已经了解的情况,但我想解释一下为什么这个过程对我不好。假设我想创建一个应用程序作为第一屏允许用户插入个人电子邮件,这封电子邮件应该由法的OAuth 作为参数
Now someone already have understood the situation but I want to explain why this procedure is bad for me. Suppose that I want create an application that as the fist screen allow the user to insert personal email, this email should be used by the method OAuth as the parameter userName for ask user permission on Google Browser window.
直到这里没有问题,用户输入的电子邮件和应用程序打开谷歌Chrome浏览器的要求他进入私人日历的权限。
但是,如果在 Chrome浏览器浏览器实际连接的谷歌帐户什么happean是针对不同的电子邮件通过吗?
Until here no problem, the user has entered the email and the application open Google Chrome browser for ask to him the permission to access to private calendars.
But, what's happean if the Google account connected actually in the Chrome browser is different against the email passed?
什么是happean如果使用该应用程序的用户授予连接了不同的帐户访问和他并没有注意到这一点?
What's happean if the user that use the application grant the access with a different account connected and him doesn't noticed this?
该应用程序将使用不同的账户上传数据,用户可以认为个人日历停留上传数据。有人有解决这种情况下,也许打开浏览器,在私人浏览器 UserCredential code座后,如果是,在这种情况下,令牌将保存在文件夹specificed:<?code>应用程序数据\\漫游\\ Stored.Token
The application will use a different account for upload the data and the user can thought that stay upload data on personal calendar. Someone have work around this situation, maybe opening Chrome, after UserCredential code block in a private browser, and if yes, in this case the token will stored in the folder specificed: AppData\Roaming\Stored.Token?
实践例如:
1 即可。在我的应用程序用户类型的私人电子邮件: foo@gmail.com
1. User type private email in my app: foo@gmail.com
2 。应用启动Chrome浏览器会话,并要求用户权限,帐户acctually连接 bar@gmail.com
2. App launch Chrome session and ask User permission, account acctually connected bar@gmail.com
3 。用户不会注意到这种情况,并授予我的应用程序访问 bar@gmail.com
3. User doesn't noticed this situation and grant my app to access to bar@gmail.com
4 。我的应用程序将使用 bar@gmail.com 上传事件,但用户认为应用程序使用停留 foo@gmail.com
4. My app will use bar@gmail.com for upload event, but the user thinks that the app stay using foo@gmail.com
5 。混乱。
推荐答案
不同帐户的使用可以通过与授权令牌和范围进行OAuth的流动和更新私人浏览器会话pvented $ P $。
Usage of different account can be prevented by performing the OAuth flow and updating private browser session with the granted token and scopes.
通过认证的基础阅读,我们有:
Reading through the Basics of Authentication, we have:
1。注册您的应用
每个注册的OAuth应用程序分配了不应该共享的唯一客户端ID和客户端密钥。当您注册您的应用程序,你可以填写除了在授权回调网址,也被认为是建立应用程序的最重要的一条每一条信息。这是回调URL,其中用户将验证成功后重定向。
Every registered OAuth application is assigned a unique Client ID and Client Secret which should never be shared. When you register your application, you can fill out every piece of information except the Authorization callback URL, also considered as the most important piece of setting up your application. It's the callback URL where a user will be redirected after successful authentication.
2。接受用户授权
您的客户端ID和客户端密钥来从被推荐到被存储为环境变量如在样品code您的应用程序的配置页面。
Your client ID and client secret keys come from your application's configuration page which was recommended to be stored as environment variables as shown in the sample code.
<html>
<head>
</head>
<body>
<p>
Well, hello there!
</p>
<p>
We're going to now talk to the GitHub API. Ready?
<a href="https://github.com/login/oauth/authorize?scope=user:email&client_id=<%= client_id %>">Click here</a> to begin!</a>
</p>
<p>
If that link doesn't work, remember to provide your own <a href="/v3/oauth/#web-application-flow">Client ID</a>!
</p>
</body>
</html>
注意URL使用范围查询参数来定义应用程序所要求的范围。对于示例code,我们要求用户:电子邮件范围读取电子邮件地址。在单击您应采取授权页面的链接。然后将被重定向到指定的路线回调网址。您将提供一个POST HTTP请求中添加,以换取一个临时code值的access_token 然后你就可以做认证的请求为登录的用户。
Notice that the URL uses the scope query parameter to define the scopes requested by the application. For the sample code, we requested user:email scope for reading email addresses. After you click on the link you should be taken to Authorization page. and then will be redirected to a route specified in Callback URL. You will be provided with a temporary code value to be added in a POST HTTP request in exchange for an access_token then you'll be able to make authenticated requests as the logged user.
# fetch user information
auth_result = JSON.parse(RestClient.get('https://api.github.com/user',
{:params => {:access_token => access_token}}))
# if the user authorized it, fetch private emails
if has_user_email_scope
auth_result['private_emails'] =
JSON.parse(RestClient.get('https://api.github.com/user/emails',
{:params => {:access_token => access_token}}))
end
erb :basic, :locals => auth_result
最后,
3。实施老大难认证
根据建议:
由于我们坚持在会话中的范围,我们需要处理的情况下,当用户更新后的作用域我们检查他们,或撤销令牌。为了做到这一点,我们将使用救援块,检查第一个API调用成功,从而验证令牌仍然有效。在这之后,我们将检查的X OAuth的作用域响应头,以验证用户未撤销该用户:电子邮件范围
Since we're persisting scopes within the session, we'll need to handle cases when the user updates the scopes after we checked them, or revokes the token. To do that, we'll use a rescue block and check that the first API call succeeded, which verifies that the token is still valid. After that, we'll check the X-OAuth-Scopes response header to verify that the user hasn't revoked the user:email scope.
在实施开发github上显示的code,我们现在有哪些检查,如果用户已经认证了验证方法。如果没有,验证方法被调用,它执行的OAuth流,并与授权令牌和范围更新会话。
Implementing the code shown in developer github, we now have the authenticated method which checks if the user is already authenticated. If not, the authenticate method is called, which performs the OAuth flow and updates the session with the granted token and scopes.
这篇关于如何问私人浏览器会话的用户权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
