跨域登录 - 如何在用户从一个域转移到另一个域时自动登录 [英] Cross Domain Login - How to log a user in automatically when transferred from one domain to another
问题描述
我们提供多种在线服务.如果用户从一个服务(在 domain1.com
上)转移到另一个服务(在 domain2.com
上),我们需要开发一个系统,为用户提供快速/简单的体验>).
We offer a number of online services. We are required to develop a system which provides a quick/simple experience for users if they are transferred from one service (on domain1.com
) to another service (on domain2.com
).
是否有一种安全可靠的方法可以在用户转移到新服务后自动登录?
Is there a safe and secure way to log a user in automatically once he has been transferred to the new service?
如果以下解决方案完全不安全/错误,请对我大喊大叫.
Yell at me if the solution below is completely insecure/wrong.
我们正在考虑一个类似于许多在线服务提供的密码恢复系统 - 他们会通过电子邮件发送一个带有唯一哈希的链接,该哈希会过期,允许他们更改密码.
We were considering a system similar to that provided by a number of online services for password recovery - they are emailed a link with a unique hash which expires, that allows them to change their password.
domain1.com
站点会生成一个唯一的哈希值并将其存储在一个数据库中,该哈希值与一个用户以及一个过期日期时间字段相关联.
The domain1.com
site would generate a unique hash and store it in a database with the hash linked to a user along with an expire datetime field.
用户将被转移到domain2.com/auto/?hash=d41d8cd98f00b204e9800998ecf8427e
domain2.com
接下来将使用哈希向 domain1.com
发出请求,以获取有关用户的信息.domain1.com
然后将从数据库中删除哈希.domain2.com
将用户登录并设置 cookie 等.
domain2.com
would next make a request to domain1.com
with the hash to get the information about the user. domain1.com
would then remove the hash from the database. domain2.com
would log the user in and set cookies, etc.
基于 OpenID 或 OAuth 的东西能达到相同的结果吗?
Could something based on OpenID or OAuth achieve the same results?
推荐答案
单点登录 (SSO) 在概念上非常简单.
Single sign-on (SSO) is conceptually pretty simple.
- 用户点击
domain1.com
. domain1.com
发现没有会话 cookie.domain1.com
重定向到sso.com
sso.com
显示登录页面,并获取凭据sso.com
为用户设置会话 cookiesso.com
然后重定向回domain1
到一个特殊的 url(如domain1.com/ssologin
)ssologin
URL 包含一个基本上由sso.com
签名"的参数.它可以像使用共享密钥对 loginid 进行 base64 加密一样简单.domain1.com
获取加密的令牌,对其进行解密,然后使用新的登录 ID 登录用户.domain1
为用户设置会话 cookie.
- User hits
domain1.com
. domain1.com
sees there's no session cookie.domain1.com
redirects tosso.com
sso.com
presents login page, and take credentialssso.com
sets session cookie for the usersso.com
then redirects back todomain1
to a special url (likedomain1.com/ssologin
)- the
ssologin
URL contains a parameter that is basically "signed" by thesso.com
. It could be as simple as a base64 of encrypting the loginid using a shared secret key. domain1.com
takes the encrypted token, decrypts it, uses the new login id to log in the user.domain1
sets the session cookie for the user.
现在,下一个案例.
- 用户点击
domain2.com
,它跟在domain1
之后并重定向到sso.com
sso.com
已经有用户的 cookie,所以不显示登录页面sso.com
使用加密信息重定向回domain2.com
domain2.com
用户登录.
- User hits
domain2.com
, which followsdomain1
and redirects tosso.com
sso.com
already has a cookie for the user, so does not present the login pagesso.com
redirects back todomain2.com
with the encrypted informationdomain2.com
logs in the user.
这是其工作原理的基本原理.你可以让它更健壮,功能更丰富(例如,这是SSOn,但不是SSOff,用户可以注销"domain1
,但仍会登录到 domain2
).您可以使用公钥来签署凭据,您可以请求从 SSO 服务器传输更多信息(如授权权限等).您可以进行更亲密的集成,例如域会定期检查用户是否仍然拥有来自 SSO 服务器的权限.
That's the fundamentals of how this works. You can make it more robust, more feature rich (for example, this is SSOn, but not SSOff, user can "log out" of domain1
, but still be logged in to domain2
). You can use public keys for signing credentials, you can have requests to transfer more information (like authorization rights, etc) from the SSO server. You can have more intimate integration, such as the domains routinely checking that the user still has rights from the SSO server.
但是使用重定向通过浏览器的 cookie 握手是所有这些 SSO 解决方案所基于的关键基础.
But the cookie handshake via the browser using redirects is the key foundation upon which all of these SSO solutions are based.
这篇关于跨域登录 - 如何在用户从一个域转移到另一个域时自动登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!