google OAuth 2.0< SecureCookieSession {}>尽管已登录 [英] google OAuth 2.0 <SecureCookieSession {}> despite being logged in

问题描述

此

解决方案

这就是我要做的事情.

1. 使用Google oauth2流在UI上进行身份验证.从Google获取 code .
2. 发送 code 到后端.后端使用上述代码对Google进行了单独的api调用，以获取access_token.(也表示用户合法)此处的更多信息

基本上，上述流程正确执行意味着用户就是他们所说的.即用户已通过身份验证.

3. 由于用户已通过身份验证，请自行创建一个 cookie .将Cookie发送到UI并将其存储在后端数据库中.

4. 这是UI在尝试验证用户身份时应查找的 cookie .如果存在cookie，则对用户进行身份验证，否则对用户进行未认证->将用户重定向到登录页面.

5. 每个api调用都应检查此 cookie ，并通过检查数据库中是否存在 cookie 来进行验证.

6. 当用户要注销时，请在UI上删除此 cookie 并从后端数据库中删除.用户仍然登录到他的Google服务，但退出了您的服务.

n.b.其他需要记住的事情

• 会话cookie应根据业务需要在短短的15分钟/1小时/24小时后过期.
• Cookie应该仅是 http ，安全
• 以上流程应严格通过HTTPS进行.

This SO1 mentioned that the best way to secure a website from API calls is to check whether the user is logged in/authenticated before accepting any API Calls. In my case, I am using google OAuth 2.0 to login and access user's calendar.

After countless hours on checking how to log out a user with google OAuth 2.0 , I realized that if I were to logout user from my app, the user would be logged out of google too (really bad UX) hence not so common.

Therefore, how can I still apply the website advice w/o having a log out system? As every other security protocol I tired wasn't either possible or secure enough.

How can I check if the user is authenticated from a google OAuth 2.0, if so, accept POST requests?

As:

if 'credentials' not in flask.session:

resulted in:

<SecureCookieSession {}>

despite the user being logged in

despite the session cookies being passed:

解决方案

Here is what I do.

1. Authenticate on UI using google oauth2 flow. Get code from google.
2. Send code to backend. Backend makes a separate api call to google using the above code to get access_token. (also means the user is legit) more on this here

Basically, the above flow executed correctly means the user is who they say they are. i.e. the user has been authenticated.

3. Since user is authenticated, create a cookie on your own. Send the cookie to the UI as well as store it in the backend database.

4. This is the cookie that UI should look for while trying to authenticate an user. If cookie is present, user is authenticated, else user is unauthenticated -> redirect the user to login page.

5. Every api call should check for this cookie and validate by checking whether the cookie is present in the database.

6. When user wants to logout, delete this cookie on the UI and delete from backend database too. User remains logged in to his google service, but logged out of your service.

n.b. other things to keep in mind are

• session cookies should expire after a short while, 15mins / 1 hour / 24 hours depending on business needs.
• cookies should be http only, secure
• the above flow should take place strictly through HTTPS.

这篇关于google OAuth 2.0< SecureCookieSession {}>尽管已登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！