Rails的跨应用/服务器的验证 [英] Rails authentication across apps/servers
问题描述
我一直在开发我的Rails应用,同时保持它们尽可能模块化。我想下实现不同的部件服务。
说的Facebook的例子:结果
a)在 MainApp ,允许用户有墙,柱等结果
b)在 PhotoApp 存储的照片,使用户可以看到他的照片,等等,这是一个独立的应用程序,将有一个REST API,可以通过MainApp使用为好。
我想使用OAuth作为一个单点登录解决方案(如本教程<一个href=\"http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/\">http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/)每个应用程序将通过OAuth授权并基于cookie将可以访问当前用户会话。</ P>
第一个问题:的这是一个可行的解决方案。
第二个问题:的我希望能够从 MainApp 服务器调用的 PhotoApp API(不从用户的浏览器)。在这种情况下会如何鉴定工作?
第三个问题:的如何将这项工作,如果说我有使用Node.js的服务
?是的,SSO使用OAuth是一个可行的解决方案,但它不是最简单的一种。在构建任何新的东西,的OAuth 2.0 是要走的路。基于OAuth的认证标准涵盖了大量的地面。
的OAuth的主要优点是它的允许用户给第三方应用程序访问他们的帐户没有透露他们的密码到第三方即可。如果你不认真提供这样的互操作性,那么OAuth的可能是矫枉过正。
由于复杂性,我提供了一个对不同的解决方案:
为单次登录
关键是要分享您的域名和功放内的主机之间的会话ID cookie;使用共享会话存储(如为ActiveRecordStore或基于缓存的店。)
每个Rails应用程序都有一个用于签名的cookie一个秘密。在较新的Rails应用这个位于 /config/initializers/secret_token.rb 。设置在每个应用程序相同的秘密令牌。
然后,会话配置为允许来自所有子域的访问:
AppName的:: Application.config.session_store:active_record_store,:关键=&GT; _app_name_session':域=&GT; :所有
对于内部API调用
使用一个很好的共享秘密HTTPS连接验证过。传之秘在授权标头值。
您可以与其他的架构(如Node.js的)很方便地使用共享的秘密。只要确保你总是使用HTTPS,否则共享密钥可以在网络上的嗅探。
I've been developing my rails apps whilst keeping them as modular as possible. I'm trying to implement different parts underneath as services.
Say an example of Facebook:
a) A MainApp that allows the user to have a wall, posts, etc.
b) A PhotoApp that stores photos, allows the user to see his photos, etc. This is a standalone app that will have a REST API that can be used by MainApp as well.
I was thinking of using OAuth as a Single Sign On solution (as in this tutorial http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/) where each app will be authorized via OAuth and will get access to the current user session based on the cookie.
First question: Is this a viable solution?
Second question: I want to be able to call the PhotoApp API from the MainApp server (not from the user's browser). How would authentication work in this situation?
Third question: How would this work if say I had a service that used node.js?
Yes, SSO using OAuth is a viable solution, but it's not the simplest one. When building anything new, OAuth 2.0 is the way to go. The OAuth standards cover a lot of ground.
The primary advantage of OAuth is that it allows users to give 3rd party apps access to their account without disclosing their password to the 3rd party. If you are not seriously providing such interoperability, then OAuth is probably overkill.
Given the complexity, I offer a different pair of solutions:
For Single Sign On
The trick is to share the session ID cookie between hosts within your domain & to use a shared session store (like ActiveRecordStore or a cache-based store.)
Every Rails app has a "secret" that is used to sign cookies. In newer Rails apps this is located in /config/initializers/secret_token.rb. Set the same secret token in each application.
Then, configure the session to allow access from all subdomains:
AppName::Application.config.session_store :active_record_store, :key => '_app_name_session', :domain => :all
For Internal API calls
Use a good shared secret to authenticate over HTTPS connections. Pass the secret in the "Authorization" header value.
You can use the shared secret easily with other architectures (like node.js). Just make sure you always use HTTPS, otherwise the shared secret could be sniffed on the network.
这篇关于Rails的跨应用/服务器的验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
