OAuth 2 如何使用安全令牌防止诸如重放攻击之类的事情? [英] How does OAuth 2 protect against things like replay attacks using the Security Token?

问题描述

据我所知，OAuth 2 中发生了以下一系列事件，以便 Site-A 访问 Site-B 中的 用户 信息代码>.

As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User's information from Site-B.

1. Site-A在Site-B上注册，获得Secret和ID.
2. 当用户告诉Site-A访问Site-B时，用户被发送到Site-B 他们告诉 Site-B 他们确实想授予 Site-A 访问特定信息的权限.
3. Site-B 将用户连同授权码一起重定向回Site-A.
4. Site-A 然后将该授权码连同其秘密传递回 Site-B 以换取安全令牌.
5. Site-A 然后通过将安全令牌与请求捆绑在一起，代表 用户 向 Site-B 发出请求.

1. Site-A registers on Site-B, and obtains a Secret and an ID.
2. When User tells Site-A to access Site-B, User is sent to Site-B where they tell Site-B that they would indeed like to give Site-A permissions to specific information.
3. Site-B redirects User back to Site-A, along with an Authorization Code.
4. Site-A then passes that Authorization Code along with its Secret back to Site-B in return for a Security Token.
5. Site-A then makes requests to Site-B on behalf of User by bundling the Security Token along with requests.

所有这些在安全性和加密方面是如何工作的?OAuth 2 如何使用安全令牌防止诸如重放攻击之类的事情?

How does all of this work in terms of security and encryption, on a high level? How does OAuth 2 protect against things like replay attacks using the Security Token?

推荐答案

根据我所读到的，这就是它的工作原理:

Based on what I've read, this is how it all works:

问题中概述的一般流程是正确的.在步骤 2 中，用户 X 已通过身份验证，并且还授权站点 A 访问站点 B 上用户 X 的信息.在步骤 4 中，站点将其 Secret 传递回站点 B，进行身份验证，以及授权代码，表明什么它要求(用户 X 的访问令牌).

The general flow outlined in the question is correct. In step 2, User X is authenticated, and is also authorizing Site A's access to User X's information on Site B. In step 4, the site passes its Secret back to Site B, authenticating itself, as well as the Authorization Code, indicating what it's asking for (User X's access token).

总体而言，OAuth 2 实际上是一个非常简单的安全模型，加密从未直接发挥作用.取而代之的是，Secret 和 Security Token 本质上都是密码，整个过程仅通过 https 连接的安全性来保护.

Overall, OAuth 2 actually is a very simple security model, and encryption never comes directly into play. Instead, both the Secret and the Security Token are essentially passwords, and the whole thing is secured only by the security of the https connection.

OAuth 2 没有针对安全令牌或机密的重放攻击的保护.相反，它完全依赖于站点 B 对这些项目负责并且不让它们出去，并且它们在传输过程中通过 https 发送(https 将保护 URL 参数).

OAuth 2 has no protection against replay attacks of the Security Token or the Secret. Instead, it relies entirely on Site B being responsible with these items and not letting them get out, and on them being sent over https while in transit (https will protect URL parameters).

授权码步骤的目的只是为了方便，授权码本身并不是特别敏感.当向站点 B 询问用户 X 的访问令牌时，它为站点 A 的用户 X 的访问令牌提供了一个通用标识符.仅使用站点 B 上的用户 X 的用户 ID 是行不通的，因为可能有许多未完成的访问令牌等待同时分发给不同的站点.

The purpose of the Authorization Code step is simply convenience, and the Authorization Code is not especially sensitive on its own. It provides a common identifier for User X's access token for Site A when asking Site B for User X's access token. Just User X's user id on Site B would not have worked, because there could be many outstanding access tokens waiting to be handed out to different sites at the same time.

这篇关于OAuth 2 如何使用安全令牌防止诸如重放攻击之类的事情?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！