DotNetOpenID - 在防火墙后面身份提供程序? [英] DotNetOpenID - Identity Provider behind a firewall?
问题描述
综观的OpenID协议,似乎依赖方需要发送到身份提供者的请求。在我们的情况,这是不完全理想的,因为身份提供商是后面一个firewall--我们的服务器将不能够使该请求。然而,访问我们的网站用户(客户端,例如JavaScript或重定向)将能够。所以我的问题是这样的:不支持OpenID的防火墙后面身份提供商?如果没有,有没有实现这一点的安全方式?
Looking at the OpenID protocol, it appears that the relying party needs to send a request to the identity provider. In our situation, this is not exactly ideal since the identity provider is behind a firewall-- our server will not be able to make the request. However, the user accessing our website (client-side, e.g. javascript or redirects) would be able to. So my question is this: does OpenID support an identity provider behind the firewall? If not, is there a secure way of accomplishing this?
编辑:
客户端有他们的防火墙后面的Web服务器。他们有访问我们的网站,因而能够访问我们的网站和他们的网络服务器驻留其背后我们firewall--员工的服务器,但是,这不能。身份提供驻留在其Web服务器,其firewall--我们的应用程序(依赖方)的后面需要能够使用这个内部员工身份提供商为他们的员工的身份验证。
The client has a web server behind their firewall. They have employees that visit our website and thus are able to visit our site and their webserver which resides behind their firewall-- our server, however, would not be able to. The Identity Provider resides on their webserver, behind their firewall-- our application (Relying Party) needs to be able to use this internal employee Identity Provider for their employee authentication.
推荐答案
OpenID依赖方必须能够验证该说法获得的用户是真正从OpenID提供者。否则,你的RP是简单的攻击敞开的。
OpenID relying parties must be able to verify that the assertion the user obtained is genuinely from the OpenID Provider. Otherwise your RP is wide open to simple attacks.
传统签名验证要求RP服务器联系OP服务器直接。由于这你的情况是不可能的,你唯一的选择就是硬code RP和OP之间的共享关联的秘密。您弥补关联句柄和该协会保密性强的秘密,它告诉RP和OP和它永远不会过期。然后你的RP发送的每个身份验证请求必须要求OP使用特定的关联句柄。结果
当然,永不过期的关联带有自己的安全风险。你可通过确定它是一个HMAC-SHA256协会,而不是仅仅HMAC-SHA1减轻(部分)。
Traditionally signature verification requires that the RP server contact the OP server directly. Since this is impossible in your case, your only alternative is to hard-code a shared association secret between RP and OP. You make up an association handle and a cryptographically strong secret for that association, and tell the RP and OP about it and that it never expires. Then every auth request your RP sends must ask the OP to use that particular association handle.
Of course an association that never expires carries security risks of its own. You can mitigate that (partially) by being sure it's an HMAC-SHA256 association rather than just HMAC-SHA1.
最后,用户识别符查找,通常需要从RP到OP直接HTTP连接,但是这可以通过使用标识符委派(设置指向到OP防火墙后面的非防火墙服务器上的标识符)很容易地避免。或者你的硬编码发现结果包括OP的端点解决方案只是罚款太为专门的解决方案。你一定要小心,以阻止所有的安全隐患,这虽然打开(如确保标识符真的是从集合你是硬编码的URL,否则人们可以伪造来自其他OP端点身份。
Finally, user identifier discovery typically requires a direct HTTP connection from RP to OP, but this can be easily avoided by using identifier delegation (set up identifiers on a non-firewalled server that point to the OP behind a firewall). Alternatively your solution of hard-coding discovery results including the OP Endpoint is just fine too for a specialized solution. You've got to be careful to block all the security risks that this opens up though (like making sure the identifier really is from the set of URLs that you're hard-coding, otherwise people can spoof identities from other OP endpoints.
由于您使用DotNetOpenAuth你可以做的是建立自己的 IDirectWebRequestHandler 类,并设置你的 OpenIdRelyingParty.Channel.WebRequestHandler 属性。该处理器将有机会通过简单地合成自己的HTTP响应为XRDS拦截传出HTTP请求到[服务器后面的防火墙]和重定向的要求,即防火墙后面的服务器将产生,如果你只可以达到。应该只有每OP 2 XRDS文件(一个是OP标识,另一个是所有claimed_id的是,OP断言)。这之前和验证工作正常后,应该把你的发现。
Since you're using DotNetOpenAuth what you can do is create your own IDirectWebRequestHandler class and set that on your OpenIdRelyingParty.Channel.WebRequestHandler property. This handler will have the opportunity to intercept outgoing HTTP requests to [server-behind-firewall] and "redirect" the request by simply synthesizing an HTTP response of your own that is the XRDS that the server behind the firewall would produce if you could only reach it. There should only be two XRDS documents per OP (one is the OP Identifier and the other would be all the claimed_id's that the OP asserts). That should get your discovery both before and after authentication working correctly.
这篇关于DotNetOpenID - 在防火墙后面身份提供程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
