DotNetOpenAuth - 如何唯一标识谷歌用户? [英] DotNetOpenAuth - how to uniquely identify Google users?
问题描述
我使用DotNetOpenAuth,以确定谷歌用户。我目前的检索电子邮件地址和保存的一个副本,在我的数据库。但是,如果他们改变他们的电子邮件地址,在他们的谷歌帐户?然后我的复制可以不再与他们的个人资料。
I am using DotNetOpenAuth to identify Google users. I am currently retrieving their e-mail address and saving a copy of that in my database. However, what if they change their e-mail address in their Google account? Then my copy can no longer be linked to their profile.
有没有办法通过DotNetOpenAuth唯一标识一个谷歌帐户?
Is there a way to uniquely identify a Google account through DotNetOpenAuth?
推荐答案
总是使用 IAuthenticationResponse.ClaimedIdentifier 来唯一地识别用户!
Always use the IAuthenticationResponse.ClaimedIdentifier to uniquely identify users!
的OpenID的安全模型是基于这样的设计。使用电子邮件地址是的不安全的在许多方面。任何供应商可以发出一个积极的断言声称用户拥有特定的电子邮件地址。 OpenID的不prevent从卧谈电子邮件地址的OP,所以如果你只是使用电子邮件地址和用户密钥,那么你会是用户的欺骗攻击敞开的。即使OP是不是想是不诚实的,你不能信任通常是因为你不知道OP是否验证了电子邮件地址,或者干脆问用户他们的电子邮件地址是什么。
OpenID's security model is based on this design. Using email addresses is insecure in many ways. Any Provider can issue a positive assertion claiming that the user owns a particular email address. OpenID doesn't prevent the OP from lying about email addresses, so if you just used email addresses and the user key then you'd be wide open to user spoofing attacks. Even if the OP isn't trying to be dishonest, you couldn't generally trust it because you don't know whether the OP verified the email address or simply asked the user what their email address was.
即使您信任谷歌不撒谎,有几个原因(其中一些可以缓解,但并不明显),以不把电子邮件地址作为用户标识符。例如,谷歌允许用户更改电子邮件地址后面的谷歌帐户。如果用户这样做,然后返回到你的网站,你的网站将它们标识为不同的用户。更糟的是,如果另一个用户后来声称再循环的电子邮件地址,为他们的新谷歌帐户,您的网站将其确认为老用户,并给一帮老用户数据的新的用户访问。
Even if you trust Google to not lie, there are several reasons (some of them can be mitigated, but aren't obvious) to not treat email address as the user identifier. For example, Google lets users change the email address behind their Google account. If the user did this and then returned to your web site, your site would identify them as a different user. Even worse, if another user later claimed a recycled email address for their new Google account, your site would recognize them as the older user and give the new user access to a bunch of old user data.
声称的OpenID标识符旨在避免这一切的麻烦。
OpenID Claimed Identifiers are designed to avoid all this trouble.
这篇关于DotNetOpenAuth - 如何唯一标识谷歌用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
