通过PhoneGap的应用程序调用Web安全阿比 [英] Secure Web Api called by PhoneGap application

问题描述

我实施一些的WebAPI 上传/转换/返回视频。

I'm implementing some WebApi to upload/convert/return videos.

另一名开发者将实施的PhoneGap 应用程序将调用我的WebAPI上传/转换/显示视频的用户。

Another developer will implement a PhoneGap application that will call my WebApi to upload/convert/show videos to users.

在PhoneGap的应用程序使用OpenID允许用户使用谷歌和Facebook登录。

The PhoneGap application uses OpenId to allow users to login using google and facebook.

我的问题是，我想确保在使用谷歌或Facebook打电话给我的WebAPI已登录的PhoneGap的应用程序客户端。

My problem is that I want to make sure the client that is calling my WebApi has been logged in on the PhoneGap app using google or facebook.

我知道，我需要的是客户给我的令牌的请求头的网页API，我可以提取，以验证用户。我的问题是我的WebAPI怎么能知道什么是对的PhoneGap应用程序已被OpenID的（谷歌/ FB）生成的标记？

I know that all I need is the client to send me a token in the request header that I can "extract" on the web api to validate the user. My question is how can my WebApi know what is the token that has been generated by openId (google/fb) on the PhoneGap app?

推荐答案

好吧，我也寻找到这一点，我已经走到这一步，我将在下面的步骤与大家分享： -

Well I am also searching into this and what I have got so far i will share with you in following steps:-

1）每当用户拨打我的登录页面，我会在响应头创建令牌以确保请求来自合法用户的到来。就像在MVC防伪标记。

1) Whenever user call my login page I will create the token in response header to make sure that request is coming from legitimate user. just like antiforgery token in mvc.

2）然后在成功登录，我将创建身份验证cookie并设置当前用户的上下文值，这将授权用户与上述生成另一个令牌。

2) Then upon successful login i will create the authentication cookie and set the current user context value this will Authorize the user and generate another token as mentioned above.

3）然后在这之后我会用正常的是否授权，角色属性所提供的WebAPI

3)Then after this i will use normal Authorise, Roles attribute provided by WEBApi.

让我知道你在想什么？我很乐意作出更大的贡献。

Let me know what you think? I am more than happy to contribute.

另一种方法是，当用户登录创建一个散列令牌，并将其添加到响应报头并创建自定义属性，该属性抢令牌，并检查它针对数据库。这种方法的问题是，你会被骂乌尔数据库中的所有的时间。

Another approach is when user login create a hashed token and add it to response header and create custom attribute which grab that token and check it against the database. The problem with this approach is that you will be hammering ur database all the time.

这篇关于通过PhoneGap的应用程序调用Web安全阿比的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！