在 Wordpress 插件中使用 OAuth [英] Using OAuth in Wordpress Plugin
问题描述
从我读过的所有地方来看,我的印象是将消费者密钥存储在开源代码中是一个坏主意.因此,我在另一个网络服务器上设置了一个外部代理来处理请求和访问令牌.
From everywhere I've read, I'm left with the impression that it is a bad idea to store consumer secret keys in open source code. So, I've set up an external proxy on another webserver to handle the request and access tokens.
那么,一旦我从提供者那里收到访问令牌和秘密,我是否应该将这些令牌保存在外部网络服务器上,并在每次请求时轮询网络服务器?或者,我是否应该将这些令牌返回给用户的 Wordpress 安装,插件将它们保存到用户的数据库中?
So, once I receive the access token and secret from the provider, should I be saving those tokens on the external webserver, and poll the webserver with every request? Or, should I return these tokens to the user's Wordpress installation, where the plugin saves them to the user's database?
谢谢!
推荐答案
将它们保存到用户的 wordpress 安装中,无论如何你都需要在你的代理/中继端点上有某种标识符来识别带有访问令牌的插件你已经保存到你的最后.
Save them to the user's wordpress installation, you will need to have some sort of identifier anyway on your proxy/relay endpoint to identify a plugin with an access token you have saved on your end.
如果访问令牌应该从用户的 wordpress 泄漏,它仍然无法在没有消费者密钥的情况下使用,您无论如何都要确保安全.然而,存在泄露的访问令牌被用于通过中继端点发出经过身份验证的请求的风险.但是使用另一种识别机制时,您会遇到同样的情况.
If the access token should leak from the user's wordpress, it is still not usable without the consumer key that you are keeping safe on your end anyway. There is however the risk of a leaked access token being used to make authenticated requests via your relay endpoint. But you would have the same situation with another identifying mechanism.
如果您真的想安全操作,您可以在 wordpress 安装和中继服务之间实现一个简单的加密层.例如,访问令牌参数的 SHA1 哈希、URL、时间戳和另一个安装特定的秘密作为盐.这至少会阻止丢失的访问令牌直接与您的中继端点一起使用.那么我能看到的唯一攻击向量就是 wordpress 数据库本身被攻陷了.
If you really want to play it safe you could implement a simple cryptographic layer between the wordpress installation and your relay service. Say for example a SHA1 hash of the access token parameters, the URL, a timestamp, and yet another installation specific secret as salt. That would at least hinder a lost access token from being directly usable with your relay endpoint. Then the only attack vector that I can see is that the wordpress DB itself is compromised.
这篇关于在 Wordpress 插件中使用 OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
