从 OAuth 安全存储令牌/秘密/等的正确方法? [英] Correct way to safely store token/secret/etc from OAuth?

问题描述

我刚刚开始研究 OAuth，它看起来非常好.我有 oauth with twitter 工作 ruby​​ 现在.

I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now.

现在我想知道，在我的本地数据库和会话中存储响应的推荐安全方法是什么?

Now I'm wondering, what is the recommended safe way to store the responses in my local database and session?

• 我应该存储什么?
• 我应该在哪里存放它?

这个例子 twitter-oauth-with-rails app 在 session 中存储了一个 user.id，用户表有 token 和 secret.但这似乎很容易通过传入大量测试用户 ID 来破解并获取秘密，不是吗?

This example twitter-oauth-with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?

推荐答案

如果没有您的 twitter 应用程序的使用者密钥/秘密，令牌将毫无用处，因为它们对每个应用程序都不同，但取决于使用者密钥/秘密.

The tokens are useless without the consumer key/secret of your twitter app as they're not the same for every app but depend on the consumer key/secret.

要获取会话变量，您必须猜测会话 ID，这并不容易实现.

To get a session variable you would have to guess the session id which is not that easy to accomplish.

如果您愿意，您可以将这些令牌存储在会话中，但我建议将用户令牌与所有其他用户数据一起存储在您的数据库中，以便您的会话仅包含用于识别系统中用户的数据.

If you want you can store those tokens in the session but I would suggest storing the user tokens in your database with all the other user data so your session contains only the data to identify the user in your system.

更新:我不确定我是否正确理解您通过猜测 ID 访问数据库中的令牌的意思.

Update: I'm not sure if I understand correctly what you mean by accessing the tokens from the database by guessing an ID.

您是否进行了任何身份验证，以便用户必须输入一些凭据才能访问他们的数据?您应该像存储用户电子邮件地址或密码一样存储令牌，并且只有经过身份验证的用户才能访问它.

Do you have any authentication in place so that the users have to enter some credentials to access their data? You should store the tokens the same way you store the users email address or password and only authenticated users should be able to access it.

这篇关于从 OAuth 安全存储令牌/秘密/等的正确方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！