在 iPhone 应用程序中对用户进行身份验证 [英] Authenticating users in iPhone app
问题描述
我正在为我们的 Web 应用程序开发 HTTP api.最初,API 的主要使用者将是我们正在开发的 iPhone 应用程序,但我在设计它时考虑了未来的用途(例如用于其他平台的移动应用程序).我正在尝试确定对用户进行身份验证的最佳方式,以便他们可以从 iPhone 访问他们的帐户.我有一个我认为效果很好的设计,但我不是安全专家,所以我想在这里征求反馈会很好.
I'm developing an HTTP api for our web application. Initially, the primary consumer of the API will be an iPhone app we're developing, but I'm designing this with future uses in mind (such as mobile apps for other platforms). I'm trying to decide on the best way to authenticate users so they can access their accounts from the iPhone. I've got a design that I think works well, but I'm no security expert, so I figured it would be good to ask for feedback here.
用户身份验证的设计有 3 个主要目标:
The design of the user authentication has 3 primary goals:
- 良好的用户体验:我们希望允许用户输入一次凭据,并无限期地保持登录状态,直到他们明确退出为止.如果不是因为 iPhone 应用程序的体验非常糟糕,我会考虑 OAuth,据我所知(即它在 Safari 中启动登录表单,然后告诉用户在身份验证成功时返回应用程序).
- 无需在应用程序中存储用户凭据:我总是讨厌将用户密码以纯文本或对称加密形式存储在任何地方的想法,因此我不希望应用程序必须存储密码以将其传递给 API 以供将来的 API 请求使用.
- 安全:我们绝对不需要银行应用程序的高度安全性,但我显然希望它是安全的.
- Good user experience: We want to allow users to enter their credentials once, and remain logged in indefinitely, until they explicitly log out. I would have considered OAuth if not for the fact that the experience from an iPhone app is pretty awful, from what I've heard (i.e. it launches the login form in Safari, then tells the user to return to the app when authentication succeeds).
- No need to store the user creds with the app: I always hate the idea of having the user's password stored in either plain text or symmetrically encrypted anywhere, so I don't want the app to have to store the password to pass it to the API for future API requests.
- Security: We definitely don't need the intense security of a banking app, but I'd obviously like this to be secure.
总体而言,该 API 受 REST 启发(即将 URL 视为资源,并在语义上使用 HTTP 方法和状态代码).对 API 的每个请求都必须包含两个自定义 HTTP 标头:API 密钥(每个客户端应用程序唯一)和唯一设备 ID.API 要求使用 HTTPS 发出所有请求,以便对标头和正文进行加密.
Overall, the API is REST-inspired (i.e. treating URLs as resources, and using the HTTP methods and status codes semantically). Each request to the API must include two custom HTTP headers: an API Key (unique to each client app) and a unique device ID. The API requires all requests to be made using HTTPS, so that the headers and body are encrypted.
我的计划是在我的数据库中有一个 api_sessions 表.它对 API 密钥和唯一设备 ID 具有唯一约束(以便设备只能通过给定应用登录到单个用户帐户)以及用户表的外键.
My plan is to have an api_sessions table in my database. It has a unique constraint on the API key and unique device ID (so that a device may only be logged into a single user account through a given app) as well as a foreign key to the users table.
API 将有一个 login 端点,它接收用户名/密码,如果它们与帐户匹配,则让用户登录,为给定的 API 密钥和设备 ID 创建 api_sessions 记录.未来的 API 请求将使用 API 密钥和设备 ID 查找 api_session,如果找到记录,则将请求视为在 api_session 记录引用的用户帐户下登录.
The API will have a login endpoint, which receives the username/password and, if they match an account, logs the user in, creating an api_sessions record for the given API key and device id. Future API requests will look up the api_session using the API key and device id, and, if a record is found, treat the request as being logged in under the user account referenced by the api_session record.
还有一个 logout API 端点,用于从 api_sessions 表中删除记录.
There will also be a logout API endpoint, which deletes the record from the api_sessions table.
有没有人发现其中有任何明显的安全漏洞?
Does anyone see any obvious security holes in this?
推荐答案
我同意 oAuth 的评论——你当然可以让 oAuth 在 iPhone 上很好地工作——用户体验完全取决于你.有一些机制 (jQuery) 可以从 oAuth 中拉回 PIN 并使用它(用户无需将 PIN 重新输入到应用程序中).这将用户体验减少到
I agree with the oAuth comments - you can of course make oAuth work nicely on an iPhone - the UX is totally up to you. There are mechanisms (jQuery) to pull back the PIN from oAuth and use it (without the user re-typing the PIN into the app). That reduces the UX to
1) 显示网页(在嵌入式控件中)2) 用户输入用户名和密码并按下按钮3) oAuth 响应页面自动解析.
1) Display web page (in embedded control) 2) user enters user and password and presses button 3) oAuth response page is parsed automatically.
这个 twitter oAuth 实现做到了 http://github.com/bengottlieb/Twitter-OAuth-iPhone 使用预先存在的 oAuth 库.
This twitter oAuth implmentation does that http://github.com/bengottlieb/Twitter-OAuth-iPhone using a pre-existing oAuth library.
但是,回到你最初的问题.那看起来不错.您唯一没有提到的是,您需要在网络应用上提供一种机制,以允许用户注销/取消对设备会话的授权(以防他们丢失了设备).
However, back to your original question. That looks fine. The only item you don't mention, is that you need to provide a mechanism on the web app to allow the user to logout/deauthorize a device session (in case they have lost their device).
这篇关于在 iPhone 应用程序中对用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
