使用 oAuth 或其他方式实现访问 [英] Implementing access with oAuth or other
问题描述
我正在尝试想办法将网站及其部分数据库打开到其他第三方网站,类似于 Twitter 让 web 应用程序连接到其数据库以检索数据并可能存储数据的方式.
I'm trying to think of a way to open a website and part of its database to other third party websites, similar to how Twitter lets webapps connect to its database to retrieve data and possibly store data.
我最初的研究使我使用了 oAuth(或者是 openID?).
My initial research led me to oAuth (or is it openID?).
我需要做的是让第三方网站登录网站上的用户账户,但只能读写属于他们的数据,而不能触及属于其他第三方网站的数据?
What I need to do is let the third party websites login to a user's account on the website, but only read and write data that belongs to them and not be able to touch data that belong to other third party websites?
我对 oAuth 的细节有点模糊.我需要创建某种 API 还是 oAuth 是我唯一需要实现的?如您所见,我不确定如何执行此操作,因此更专业的人的任何解释都会有所帮助.
I'm a bit fuzzy of the details of oAuth. Do I need to create some sort of an API or is oAuth the only thing I need to implement? As you can see, I'm not sure on how to do this so any explanations from those who are more experts would help.
如果我实施 oAuth,其他第三方网站能否访问该网站的数据?
If I implement oAuth, will other third party websites be able to access data from the website?
我可以让其他第三方网站在用户不必访问主网站的情况下将用户注册到主网站吗?有没有人认为这是一个坏主意?是/否,为什么?
Can I let other third party websites register the user to the main website without the user having to visit the main website? Does anyone think this is a bad idea? yes/no and why?
以及 oAuth 如何帮助我确保第三方网站不会读取/写入/更改与其他第三方网站相关的用户数据.
and how does oAuth help me make sure that a third party websites does not read/write/change user data related to another third party website.
我确定这比我想象的要容易,但我是 oAuth 的新手,所以图片还不清楚.
I'm sure this is easier than what I think, but I'm new to oAuth so the picture isn't clear yet.
推荐答案
首先,让我们明确 OAuth 和 OpenID 是两个独立的事物.OpenID 仅用于身份验证.OAuth 用于身份验证和授权.在这种情况下,授权是指客户端应用程序授权访问和更新与经过身份验证的用户关联的数据.
First, let's be clear that OAuth and OpenID are two separate things. OpenID is intended for authentication only. OAuth is intended for authentication and authorization. In this case, authorization refers to the idea that a client application is authorized to access and update data associated with an authenticated user.
我需要做的是让第三方网站登录网站上的用户账户,但只能读写属于他们的数据,而不能触及属于其他第三方网站的数据?
What I need to do is let the third party websites login to a user's account on the website, but only read and write data that belongs to them and not be able to touch data that belong to other third party websites?
如果存储在每个第三方网站上的数据与存储在您的身份验证服务器上的数据互斥,那么您可能希望坚持使用 OpenID.
If the data that is stored on each of the third party websites is mutually exclusive of the data stored on your authentication server, then you may want to stick with OpenID.
但是,如果您希望第三方网站更新应与所有其他第三方网站共享的用户信息(即名字、姓氏、街道地址、信用卡信息等),则您可能想使用 OAuth.我知道 OpenID 规范有一个扩展允许这种事情(实际上,您可以将其调整到您自己的实现中),但从一般意义上说,这种东西属于 OAuth.
If, however, you want your third party websites to update information about the user that should be shared with all the other third party websites (i.e. First name, Last name, Street address, Credit Card Information, etc.), then you may want to go with OAuth. I am aware that there is an extension to the OpenID spec that allows for this sort of thing (and indeed, you can adapt this to your own implementation), but in the general sense, this sort of stuff belongs in OAuth.
我对细节有点模糊o身份验证.我需要创建某种类型吗API 或者 oAuth 是我唯一的东西需要实施吗?
I'm a bit fuzzy of the details of oAuth. Do I need to create some sort of an API or is oAuth the only thing I need to implement?
除了请求令牌和使用 OAuth 服务器授权客户端应用程序的初始细节之外,您还必须实施其他方法来检索和更新有关已验证用户的信息.例如,Twitter 要求您的应用程序通过特定用户的身份验证并被授权更新用户的状态.除了基本的 OAuth 实现之外,更新状态方法是他们 API 的一部分.
Beyond the initial details of requesting tokens and authorizing the client application with the OAuth server, you would have to implement additional methods to retrieve and update information about the authenticated user. For example, Twitter requires your application to be authenticated with a particular user and authorized to update the user's status. That update status method is a part of their API in addition to the base OAuth implementation.
如果我实施 oAuth,其他第三方会党的网站能够访问数据从网站?有没有人认为这是一个坏主意?是/否,为什么?
If I implement oAuth, will other third party websites be able to access data from the website? Does anyone think this is a bad idea? yes/no and why?
这些网站只能访问已通过您的 OAuth 服务器进行身份验证并授权该网站访问其数据的用户的数据.但是,只有具有有效消费者密钥的网站才能请求正确的令牌以开始 OAuth 会话.因此,只有您授权的网站才能与您的服务器进行交互.
Those websites will only be allowed to access the data of the user who has authenticated with your OAuth server and authorized that website to access their data. However, only those websites with a valid Consumer Key can request the proper tokens to begin an OAuth session. So only those websites that you have authorized will be allowed to interact with your server.
这些令牌总是有可能通过会话固定被劫持.但这种担忧不应阻止您实施 OAuth 服务.这并不意味着不用担心.只是不要让它成为障碍.
There is always the chance that those tokens can be hijacked through Session Fixation. But that concern should not prevent you from implementing your OAuth service. That doesn't mean don't worry about it. Just don't let that be a roadblock.
是否可以让其他第三方网站在用户不必访问主网站的情况下将用户注册到主网站?
Can I let other third party websites register the user to the main website without the user having to visit the main website?
不符合 OAuth 定义的当前规范.OAuth 背后的想法是您的用户在 OAuth 服务器上注册.您的第三方客户端使用此服务器作为身份验证点.但是,这并不意味着您不能实现某种 API 来注册用户,如果应用程序有某种主"帐户要登录(尽管这是它自己的安全风险).只是不推荐.
Not with the current spec as defined by OAuth. The idea behind OAuth is that your users register at the OAuth server. Your third party clients use this server as an authentication point. This doesn't mean you can't, however, implement some sort of API to register a user if the application has some sort of "master" account to log in with (though this is it's own security risk). It's just not recommended.
oAuth 如何帮助我确保第三方网站不会读取/写入/更改与其他第三方网站相关的用户数据?
and how does oAuth help me make sure that a third party websites does not read/write/change user data related to another third party website?
仅仅因为您使用 OAuth 并不意味着您的第三方网站无法将数据存储在他们自己的数据存储中.Flickr 和 Twitter 都提供 OAuth 服务,但都不会在他们的服务器上存储彼此的信息(没有 flickr 照片存储在 Twitter 的数据库中).
Just because you use OAuth doesn't mean that your third party websites can't store data in their own data stores. Both Flickr and Twitter offer OAuth services, but neither store each other's information on their servers (no flickr photos get stored in Twitter's databases).
只要您没有在 OAuth 服务器上存储特定于每个应用程序的信息,就不会有问题.请记住,OAuth 服务器用于验证用户并存储应由所有应用程序共享的基本信息.我将在此重申,如果您只想验证用户身份,请坚持使用 OpenID.
As long as you aren't storing the information specific to each application on your OAuth server, you shouldn't have a problem. Remember, the OAuth server is there to authenticate users and store the basic information that should be shared by ALL applications. I'll reiterate here, if all you want to do is authenticate the user, then stick with OpenID.
编辑
我可以将权限分段,这样当用户授权站点 A 时,他不会授权给他的完整帐户,而只是授权它访问他自己帐户上的数据吗?oAuth 可以这样做吗?
Can I segment the permissions such that when the user authorizes site A, he doesn't authorize it to his full account, but just authorizes it to access its own data on his account? Can oAuth do this?
在您的实施中,您可以.这将是检查与用于访问该 OAuth 端点的访问令牌关联的消费者密钥的问题.请记住,对 API 授权部分的每次调用都必须包含访问令牌.因此,如果您想将该端点锁定到特定应用程序,则可以通过访问令牌和使用者密钥进行检查.
In your implementation, you can. It would be a matter of checking consumer key associated with the access token being used to access that OAuth Endpoint. Remember that each call to the authorized portion of your API must include an access token. So it makes sense that if you want to lock down that endpoint to a particular application you would check it by access token and consumer key.
这篇关于使用 oAuth 或其他方式实现访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
