流行的应用程序如何验证从移动应用程序到服务器的用户请求? [英] How do popular apps authenticate user requests from their mobile app to their server?
问题描述
假设我有一个 Android 应用程序,它连接到 .Net API 以接收/设置数据.我的困惑在于如何第一次注册/登录用户并在他们每次向 API 发出请求时对其进行身份验证.
Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request to the API.
- 如果我只使用基于用户名/密码的身份验证,它们将不安全够了吗?
- 而且我无法在设备中保存该用户名/密码当然是出于安全原因?
- 我是否应该在注册时为每个用户发布一个 GUID,将其保存在他们的设备中并在每次 API 请求期间检索?
还有哪些其他可用的模式以及哪些模式最高效和安全,我只需要一个流程即可.有人能告诉我 Facebook、FourSquare 或 Twitter 等著名的 android 应用程序使用什么方法来验证从他们的移动应用程序到他们的服务器的每个请求吗?
What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android applications like Facebook, FourSquare, or Twitter use to authenticate every request coming from their mobile application to their server?
如果这不是一些公开信息,请提前抱歉.
Sorry in advance if that's not some public information.
推荐答案
我想象他们使用基于令牌"的安全系统,因此密码实际上永远不会存储在任何地方,只是在第一次进行身份验证时使用.所以应用程序最初发布用户名/密码(通过 ssl),服务器返回应用程序存储的令牌.对于后续的同步尝试,首先发送令牌,服务器检查它是否有效,然后允许发布其他数据.
I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
令牌应该有一个到期时间,以便服务器可以重新请求身份验证尝试.
The token should have an expiry so the server can re-request an authentication attempt.
如果您从 Android 框架中连接到同步适配器,这将使您能够在幕后同步和验证所有内容.
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
如果您检查设备上设置"下的帐户,您就会明白我的意思.
If you check the accounts under Settings on your device you'll see what I mean.
这篇关于流行的应用程序如何验证从移动应用程序到服务器的用户请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
