使用 OAuth2 对应用*和网站进行身份验证 [英] Authenticating with OAuth2 for an app *and* a website

问题描述

我正在开发一个主要通过应用程序访问的网站，我想使用 OAuth2 进行用户注册和身份验证.由于它是一个 Android 应用程序，我将开始使用 Google 的 OAuth2 内容，因为它在 Android 上提供了一个不错的用户界面.

Google 声明 ，谷歌 - 谷歌，是这个令牌有效吗?".

现在，我希望发生的是谷歌说是的，给你的人确实是那个用户."，但我认为实际上会发生(基于 OAuth2 草案和Google 的文档)是它会说不可能！该令牌仅对 MyApp 有效，而您是 MySite.GTFO！".

那我该怎么做呢?并且请不要说使用 OpenID"或不要使用 OAuth2"或其他类似的无用答案.哦，我真的很想继续使用漂亮的 AccountManager UI 而不是蹩脚的弹出式 WebViews

编辑

来自 Nikolay 的临时答案(如果有效，我会报告！)它实际上应该有效，而 Google 的服务器不会关心访问令牌的来源.对我来说似乎有点不安全，但我会看看它是否有效！

更新

我用 Facebook 而不是 Google 实现了这个模式，它完全有效.OAuth2 服务器不关心访问令牌的来源.至少 Facebook 没有，所以我认为 Google 也没有.

鉴于此，存储访问令牌是一个非常糟糕的主意！但是我们也不希望必须访问 Facebook/Google 的服务器来检查每个请求的身份验证，因为它会减慢一切.可能最好的办法是为您的站点添加一个额外的身份验证 cookie，您在验证访问令牌时分发该 cookie，但更简单的方法是将访问令牌视为密码并存储它的哈希值.你也不需要加盐，因为访问令牌真的很长.所以上面的步骤变成了这样:

9.MySite 需要使用访问令牌验证用户.首先，它检查其哈希有效访问令牌的缓存.如果在那里找到令牌的哈希值，则它知道用户已通过身份验证.否则，它会与 Google 如此处所述一起检查，并使用 Google -Google，这是令牌有效吗?".

10.如果 Google 说访问令牌无效，我们会告诉用户 GTFO.否则 Google 会说是的，这是一个有效用户"，然后我们会检查我们的注册用户数据库.如果未找到该 Google 用户名(或 Facebook id，如果使用 Facebook)，我们可以创建一个新用户.然后我们缓存访问令牌的哈希值.

解决方案

您可能需要 OpenID Connect，它使用 OAuth 令牌进行身份验证.至于 AccountManager，目前的 OAuth 支持有点老套，新的 Google Play 服务，即将很快"发布，希望能让它变得更好.请在此处查看演示.

I'm developing a website that is primarily accessed via an app, and I want to use OAuth2 for user registration and authentication. Since it is an Android app I will start using Google's OAuth2 stuff, since it provides a decent UI on Android.

Google states that "You can choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store." which is what I want to do. However when I go through all their examples and whatnot, I can only find stuff about having a website or an app authenticate a user against Google's services.

And indeed, when I go to register my app ("client") with Google's OAuth2 there are options for website clients and "installed" clients (i.e. a mobile app) but not both. I can create two separate clients but I read the OAuth2 draft and I think there will be a problem, which I will now explain.

Here's how I did envisage it working:

1. User asks MyApp to access his private data.
2. App uses Android's AccountManager class to request an access token for Google's APIs.
3. Android says to user "The app 'MyApp' wants access to your Basic Information on Google. Is this ok?"
4. User says yes.
5. AccountManager connects to Google's OAuth2 server using the credentials stored on the phone, and asks for an access token.
6. Access token (which follows the green lines) is returned.
7. AccountManager returns the access token to MyApp.
8. MyApp sends a request to MySite for the user's private data, including the access token.
9. MySite needs to verify the user, using the access token. It validates the token as described here, with Google - "Google, is this token valid?".
10. Now, what I want to happen is that Google says "Yes, whoever gave it to you is indeed that user.", but what I think will actually happen (based on the OAuth2 draft and Google's documentation) is that it will say "No way! That token is only valid for MyApp, and you're MySite. GTFO!".

So how should I do this? And PLEASE don't say "Use OpenID" or "Don't use OAuth2" or other similarly unhelpful answers. Oh and I would really like to keep using the nice AccountManager UI rather than crappy popup WebViews

Edit

Provisional answer (I will report back if it works!) from Nikolay is that it should actually work, and Google's servers won't care where the access token came from. Seems a bit insecure to me, but I will see if it works!

Update

I implemented this pattern with Facebook instead of Google and it totally works. The OAuth2 server doesn't care where the access token comes from. At least Facebook's doesn't, so I assume Google's doesn't either.

In light of that it is a very very bad idea to store access tokens! But we also don't want to have to hit Facebook/Google's servers to check authentication for every request since it will slow everything down. Probably the best thing is to add an additional authentication cookie for your site that you hand out when their access token is validated, but a simpler way is just to treat the access token like a password and store a hash of it. You don't need to salt it either since access tokens are really really long. So the steps above become something like:

9. MySite needs to verify the user, using the access token. First it checks its cache of hashed valid access tokens. If the hash of the token is found there it knows the user is authenticated. Otherwise it checks with Google as described here, with Google - "Google, is this token valid?".

10. If Google says the access token is invalid, we tell the user to GTFO. Otherwise Google says "Yes that is a valid user" and we then check our registered user database. If that Google username (or Facebook id if using Facebook) is not found we can create a new user. Then we cache the hashed value of the access token.

解决方案

You probably need OpenID Connect, which uses OAuth tokens for authentication. As for AccountManager, the current OAuth support is a bit hacky, the new Google Play Services, set to be released 'soon' should hopefully make this better. See here for a demo.

这篇关于使用 OAuth2 对应用*和网站进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！