如何安全地通过第三方API维护用户的身份验证？ [英] How to securely maintain user authentication through a third party API?

问题描述

我建立一个web应用程序，允许用户创建，编辑和保存文档。用户帐户数据库被单独控制，我已经提供了一个SOAP API会告诉我一个给定的用户名/密码是否有效。

I'm building a webapp that allows users to create, edit, and save documents. The database of user accounts is controlled separately and I've been provided a SOAP API that will tell me whether a given username/password is valid.

假设用户名/密码是正确的，该API会给我回以下信息：结果
•电子邮件地址结果
•用户名搜索
•login_number（该帐户唯一ID，似乎是一个自动增量INT）

Assuming the username/password are valid, the API will give me back the following info:
• email address
• username
• login_number (unique id for the account, appears to be an auto-increment int)

我将在我自己的数据库，所以我可能会使用login_number数据关联到个人用户存储我的应用程序数据。

I'll be storing data for my app in my own database so I'll probably be using the login_number to tie data to individual users.

我的问题是我应该怎么保持用户的轨迹一旦用户成功登录，存放login_number作为cookie会工作，但好像它会是可怕的不安全给我。我想沿着一个cookie存储某种随机哈希的一个查找表存储散列和相关login_number的线条东西，但我真的不知道这是不够的。

My question is how I should keep track of a user once that user has successfully logged in. Storing the login_number as a cookie would work but seems like it'd be horribly insecure to me. I'm thinking something along the lines of a cookie storing some sort of random hash with a lookup table storing that hash and the associated login_number but I'm not really sure that's sufficient.

用PHP / MySQL的标签因为这是后端我打算与工作，但不知道它真正重要的这个问题。

Tagged with PHP/MySQL as that's the back end I'm planning on working with, but not sure it really matters for this question.

推荐答案

这是任何开放认证非常常见的情况下采取的Facebook的OAuth 2.0例子。一旦用户同意你的条件，Facebook提供他的用户ID，电子邮件，也是一个方法来检查，在任何时候，当你想，用户是否登录，或没有。

This is very common case with any open authentication take Facebook oAuth 2.0 for example. Once user agrees on your terms, Facebook provides his userid, email and also a way to check, at any time when you want, whether the user is still logged-in or not.

因此​​，有几种方法：

So, there are a couple of ways:

1. 依靠供应商：如果基于用户ID的SOAP API提供了用户是否登录与否的信息。执行需要身份验证的任何任务之前，您可能只使用这个调用。
   
   


2. 在构建SOAP API 的顶部自己的身份验证：这是你计划做的，我猜。该方法是使用一个加密/散列和难以重新创建令牌。
   的想法是这样的
   
   （一）只要在用户登录创建一个独特的标记，保存此令牌用户的会话或一些永久存储。可能是内存缓存或者与用户id的地方进行映射。基本上，无论你可能取回该令牌，你知道哪个用户正在与它相关联。
   
   （二）存储此令牌，如饼干。
   
   （c）当你想验证，使用令牌从cookie来匹配保存在用户的会话令牌（或拔出用户id相匹配的令牌，并匹配当前的用户id与用户id使用验证令牌拉）。
   
   （D ）在注销删除的cookie。
   
   现在，还有的人在这中间这种方法连接。
   
   一种方法，而且它的价格昂贵，就是在每个请求结束更改令牌。这并没有消除中间人攻击，攻击，但机会得到相当渺茫。

1. Rely on the provider: If based on User-Id the SOAP API provides the information whether the user is logged in or not. You may just use this call before performing any task that require authentication.
   
   
2. Build your own Authentication on top of SOAP API: This is what you are planning to do, I guess. The approach is to use a encrypted/hashed and hard-to-recreate token.
   The idea goes like this
   
   (a)As soon as user logs in create a unique token, save this token in user's session or some permanent store. May be in memcache or somewhere mapped with the userId. Basically, wherever you may retrieve this token, you know which user is associated with it.
   
   (b) Store this token as cookie.
   
   (c) Whenever you want to authenticate, use the token from cookie to match against the token saved in the user's session (or pull out the userId matching the token and match the current userId with userId pulled using token for validation).
   
   (d) delete cookie on logout.
   
   Now, there are good chance of man-in-the middle attach with this approach.
   
   One approach, and it's expensive, is that to change token at the end of each request. This does not eliminate MITM attack, but chances of attack gets fairly slim.

希望这有助于。

现时标志现时的想法很简单，很扎实。但我不确定这将适用于你的情况。它基本上是为了保护SOAP调用。 AWS使用类似的事情。

Nonce The idea of nonce is simple and very solid. But I am unsure it will be applicable to your case. It's basically to protect SOAP calls. AWS uses similar thing.

1. 与 SecretKey的提供客户端。


2. 每当cient发出请求时，他必须通过当前时间戳的哈希值与 SecretKey的（说它标记），并已用于创建标记。


3. 服务器验证<$​​ C $ C>标记通过比较标记与服务器使用时间戳头过去了，创建哈希SecretKey的其他存储位置的服务器端，可能是数据库密码或SecretKey的。


4. 如果令牌匹配，允许用户访问其他没有。


5. 还有一件事，该服务器还可以夺取律师资格的访问，如果时间戳是从服务器的当前时间戳太大了。

1. Provide client with secretKey.
2. Whenever cient makes a request, he has to pass a hash of current time-stamp with secretKey (say it token) and the timestamp that it has used to create the token.
3. Server validates the token by comparing token with the hash that the server creates using timestamp passed in header and the secretKey stored else where on server-side, may be in database as password or secretKey.
4. If the tokens match, user is allowed access else not.
5. One more thing, the server may also disbar the access if timestamp is too off from server's current timestamp.

这个方法是从MITM攻击有效的免费的，但不知道这是否是最适合的方法适合你。

This approach is effectively free from MITM attack, but not sure if this is best suited approach for you.

客户端服务器的对话是这样的

The client server dialogue looks like this

client ----request timestamp                           --------> server 
       <---current timestamp                           -----------'
--- {ts: timestamp, token: Hash256(timestamp, secretKey)} --> isEqual(token, hash256(ts, secretKey))
                                                              |   |
                                        Access Denied<- false/   true --> ACCESS

@kramthegram感谢提醒杜撰

@kramthegram thanks for reminding Nonce

这篇关于如何安全地通过第三方API维护用户的身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！