如何将用户身份验证放入移动应用程序 [英] How to put user authentication into a mobile application
问题描述
我对在移动应用中进行用户身份验证的最佳方式很感兴趣.目前设置非常简单.我将用户名和密码存储在应用程序上,并在每次需要运行受限查询时将其发送到 api.
I'm interested in the best way to do user auth in a mobile app. At the moment the set up is quite simple. I'm storing the username and password on the app and sending it to the api each time I need to run a restricted query.
我觉得这可能是错误的做法.
This I feel is probably the wrong way to go about this.
在用户登录时发送用户名和密码然后存储该用户的 ID 会更好吗?这样做的问题是 api 接受用户 ID 而不是用户名和密码.用户 ID 将更容易猜测",恶意人员将能够向 api 提交请求,并随机选择用户 ID 在他们的帐户下执行操作.我有一个 api 密钥.这足够安全吗?
Would a better way to be to send the username and password when the user logs in and then store that user's id? The problem with this is that then the api accepts a user id and not a username and password. A user id will be much easier to "guess" at and malicious persons would be able to submit a req to the api with randomly selected user id's performing actions under their account. I have an api key. Is this secure enough?
问题是我想开始将 twitter 和 facebook oauth 集成到应用程序中.我没有读过太多关于它的信息,但我认为你得到了一个令牌".这将如何与您建议的设置一起使用?在我自己的用户数据库中创建令牌并使用令牌(无论是我的、Facebook 的还是 Twitter 的)作为授权是否有好处?或者将每个服务分开并单独处理它们是否有意义?
The issue is that I want to start integrating twitter and facebook oauth into the app. I haven't read much about it, but I think you get a "token". How would this work with the set up that you're suggesting? Would there be benefit to creating a token in my own database of users and using the token (whether it be mine, facebook's or twitter's) as the authorisation? Or would it make sense to keep each service separate and deal with them separately?
谢谢.
推荐答案
正确的方法是在用户登录时在服务器上生成 auth 令牌并在登录回复中发送此令牌.然后在后续请求中使用此令牌.
The correct way would be to generate auth token on the server when user logs and send this token in login reply. Then this token is used in subsequent requests.
这意味着服务器必须跟踪它生成的身份验证令牌.您还可以跟踪令牌创建时间并使令牌在一段时间后过期.
This means that server must keep track of auth tokens it generates. You can also track token creation times and make tokens expire after some time.
Token 必须是足够长的随机字符串,以免被轻易猜到.如何做到这一点之前已经回答过:How to generate a随机字母数字字符串?
Token must be a sufficiently long random string, so that it can not be easily guessed. How to do this was answered before: How to generate a random alpha-numeric string?
我个人更喜欢 UUID 方法.
Personally I prefer the UUID approach.
更新:
这个问题已经在网络浏览器中通过 cookie 和会话解决了.您可以在 Android 请求中重用此机制(尽管一些 REST 纯粹主义者反对这种方法):
This problem was already solved in web browsers, via cookies and sessions. You can reuse this mechanism in your Android requests (though some REST purists disprove this approach):
在服务器上启用会话.
Enable sessions on server.
当用户登录服务器时,向会话添加一些数据,例如登录时间:
When user logs into a server add some data to session, for instance time of login:
request.getSession().setAttribute("timeOfLogin", System.currentTimeMillis());
由于会话已启用,您还需要在 HttpClient 请求中启用对 cookie 的支持:在使用 HttpClient 时跨活动使用 Cookie
每次发出请求时,服务器都应检查会话是否包含 timeOfLogin 属性.否则它应该返回 HTTP 401 回复.
Every time a request is made, server should check if session contains timeOfLogin attribute. Otherwise it should return HTTP 401 reply.
当用户注销时,调用服务器注销url并清除客户端上的cookie.
When user logs out, call server logout url and clear the cookies on client.
这篇关于如何将用户身份验证放入移动应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
