使用 Facebook SSO 作为唯一登录机制,通过 iOS 客户端对 REST API 进行身份验证 [英] Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
问题描述
我打算使用 Facebook 作为我正在构建的应用程序的唯一登录机制,并且需要一些有关设计的反馈.来了——
I'm planning to use Facebook as the only sign-on mechanism for an application that I'm building and need some feedback on the design. Here it goes -
用户打开应用并显示注册屏幕.facebook 授权流程开始,让我们假设它成功并且用户已成功注册自己.成功后,应用程序调用 Facebook 图形 API 并获取用户的名字、姓氏、电子邮件、出生日期等.使用这些数据,应用程序然后调用名为 RegisterUser(string Fullname, string FirstName, stringLastName ...) 在数据库中创建用户记录.
User opens the app and is presented with a register screen. The facebook authorization flow starts and let's assume it succeeded and the user has successfully registered himself. Upon success, the app calls the Facebook graph API and gets the user's firstname, lastname, email, date of birth etc. With this data, the app then calls a web service method called RegisterUser(string Fullname, string FirstName, string LastName ...) which creates the user record in the database.
现在对于 API 的后续调用,我需要验证请求确实来自我的应用程序(不一定是特定用户).我查看了 S3 REST API,似乎每个请求都有一个名为 Authorization 的 HTTP 标头,客户端通过附加一堆其他 HTTP 标头(如日期、方法、请求数据、签名)来创建该标头它使用客户端的私钥并计算其 base64 编码值.这是在服务器端验证以对客户端进行身份验证.
Now for subsequent calls to the API, I need to authenticate that the request is really coming in from my application (not necessarily a particular user). I've looked up the S3 REST API and it seems that with every request there's a HTTP header called Authorization that the client creates by appending a bunch of other HTTP Headers like Date, Method, Request data, signing it with the client's private key and computing its base64 encoded value. This is verified on the server side to authenticate the client.
现在,我很乐意实施所有这些,但有几个问题:
Now, I'm comfortable implementing all this, but a few questions:
- 如果我有私钥,将其作为 iOS 应用程序本身的一部分包含在内是否安全?有人可以从 iOS 应用程序二进制文件中提取密钥吗?如果是这样,我该如何处理?
- 您对这个设计还有什么其他改变吗?
谢谢,
泰雅.
推荐答案
确保对 base64 编码的值应用单向哈希算法 - base64 是一种双向编码,因此您不希望窃听者反向从中设计您的私钥.Amazon S3 通过在执行 base64 之前执行 SHA-1 来做到这一点.
Make sure you apply a one-way hashing algorithm to the value to base64 encode - base64 is a two-way encoding, so you don't want eavesdroppers reverse engineering your private key from that. Amazon S3 does this with performing a SHA-1 before doing the base64.
与所有(AFAIK?)编译的二进制文件一样,您的应用不应该被反编译.
As with all (AFAIK?) compiled binaries, your app shouldn't be able to be decompiled.
这篇关于使用 Facebook SSO 作为唯一登录机制,通过 iOS 客户端对 REST API 进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
