oAuth 实现:当前域重要吗? [英] oAuth implementation: Does the current domain matter?
问题描述
我是一名前端开发人员,帮助 UX 团队开发浏览器插件的界面.
I'm a front end developer helping a UX team develop the interface of a browser plugin.
该插件基于 HTML/CSS/JS,需要身份验证.目前,我们在线路中有标准的 u/p 字段,但客户想知道是否可以进行社交登录.
The plugin is HTML/CSS/JS based and requires authentication. At the moment we have standard u/p fields in the wires, but the client is wondering if social sign-in is possible.
由于插件的接口被注入到用户访问的每个页面中,这意味着身份验证请求可以来自网络上的任何地方.
Since the plugin's interface is injected into each page that the user visits, it means that authentication requests can come from anywhere on the web.
我已经阅读了 oAuth 规范的基础知识,但我找不到答案——oAuth 不需要来自一致位置的请求似乎很奇怪,但我真的不知道我是什么正在谈论.
I've read the basics of the oAuth spec, but I can't find an answer to this — it seems odd that oAuth would not require the requests come from a consistent location, but I don't really know what I'm talking about.
从任何随机域发出 oAuth 请求是否可行?
Is making oAuth requests from any random domain feasible?
推荐答案
请求来自一致的位置
requests come from a consistent location
能够想出与 X 的消费者密钥一致的令牌的人被假定为 X.有 一个地方来请求消费者(您的服务)的 URL:
A guy who can come up with tokens that are consistent with X's consumer key is assumed to be X. There is one place to demand the consumer's (your service) URL:
oauth_callback:获取用户授权步骤完成后,服务提供商会将用户重定向回的绝对 URL.如果消费者无法接收回调或回调 URL 已被通过其他方式建立,参数值必须设置为oob(区分大小写),表示带外配置.
oauth_callback: An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization step is completed. If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration.
但是重定向发生在客户端.可以为每个请求设置此 URL.您甚至不需要浏览器请求:查看带外"(OOB) 内容.
But the redirection happens at the client's end. This URL can be set for each request. You dont even require a browser request: see the 'out of band' (OOB) stuff.
该工作流程称为两腿 OAuth.
The workflow is called two-legged OAuth.
Twitter oAuth callbackUrl - 本地主机开发
这个麻烦只是为了认证.获得用户的访问令牌后,您可以在任何设备上代表他进行操作:智能手机、集群中的节点、开发工作站等.
And that trouble is just for authentication. Once you have an access token for a user, you can act on his behalf from any device: a smartphone, a node in your cluster, your dev workstation etc. x
这篇关于oAuth 实现:当前域重要吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
