OAuth2 变量 redirect_uri [英] OAuth2 variable redirect_uri
问题描述
我们正在编写一个与 OAuth2 api 集成的插件.
We're writing a plugin that integrates with an OAuth2 api.
棘手的部分是我们不能像在大多数集成中那样对重定向 URI 进行硬编码,因为客户端可以在他们控制的任何域上安装这个插件(想想 Wordpress 插件),并且访问令牌需要重定向回他们的自定义网址.
The tricky part is that we can't hard code the redirect URI like in in most integrations, because clients could install this plugin on any domain they control (think Wordpress plugin), and the access token needs to redirect back to their custom url.
我们看到您也可以在 OAuth2 中设置 state 参数.因此,我们可以将重定向 URI 硬编码为 http://oursite.com/callback 并将状态设置为 https://[CUSTOM_URL].
We saw you can set a state parameter also in OAuth2. So we could hard code the redirect URI as http://oursite.com/callback and set a state of https://[CUSTOM_URL].
然后 http://oursite.com/callback 会额外重定向到自定义 URL,传递访问令牌.
Then http://oursite.com/callback would do an additional redirect to the custom URL, passing along the access tokens.
然而,这似乎是一个安全漏洞,因为一旦用户对应用程序进行了身份验证,其他人可能会出现并导致它在 state 参数中使用他们自己的 url 重新进行身份验证.然后它会很高兴地重定向到他们的错误网址并将访问令牌传递给他们.
However, this seems like a security vulnerability, because once a user had authenticated the app, someone else could come along and cause it to reauthenticate with their own url in the state param. Then it would happily redirect to their bad url and pass them the access token.
那么人们如何在 redirect_uri 可以变化的情况下设置 OAuth2 集成呢?谢谢!
So how do people set up OAuth2 integrations where the redirect_uri can vary? Thanks!
附言我们想到的一种解决方案是仅允许在重定向 uri 是我们控制的 url 时使用 state 参数.然后我们可以创建另一个验证页面,再次提示用户:您要允许 https://customurl.com访问您的帐户...".但我们认为可能有更好的方法.
P.S. One solution we thought of was to only allow the state param to be used if the redirect uri was a url that we control. Then we can create another verification page which prompts the user again: "Do you want to allow https://customurl.com to access your account...". But we thought there might be a better way.
推荐答案
对我来说,你的方向是正确的,恕我直言,这是与状态传递信息的唯一方法.为了没有安全问题,我建议您不要在状态中传递 URL,而是传递关键字.然后在您的应用程序中有一个处理 http://oursite.com/callback URL 的映射,并且只有当您的映射中存在关键字时,您才能从该映射重定向到相应的 URL.
To me, you are in the right direction and IMHO that's the only approach to pass the information with the state.
To not have security concerns I would suggest you not pass the URL in the state, but pass the keyword. And then have a mapping in your app which handles the http://oursite.com/callback URL, and only when the keyword exists in your mapping you can redirect to the corresponding URL from that mapping.
这篇关于OAuth2 变量 redirect_uri的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
