我怎么能自动验证一个不同的网站? [英] How can I automatically authenticate a different site?
问题描述
我有一个字preSS的网站,我使用它使用基本HTTP认证第三方searchprovider的API。
I have a Wordpress site, and I am using the API of a 3rd party searchprovider which uses Basic HTTP Authentication.
在我的网站上的用户搜索,一个JS提交搜索请求第三方搜索服务提供商,如果验证返回结果,如果没有它要求用户身份验证。
When the user searches on my site, a JS submits the search request to the 3rd party search provider, which returns the results if authenticated, if not it asks for user authentication.
现在,客户不希望有认证过程,但谁访问我页面的所有用户应自动进行身份验证的第三方搜索服务提供商(LDC搜索)。
Now, the customer does not want to have the authentication process, but all users who visit my page should be automatically authenticated for the 3rd party search provider (LDC search).
我设法通过 HTTP实现这一目标对大多数的浏览器://用户名:password@example.com ,这是不是一个可接受的解决方案,因为any1能看到的密码,并在IE中不工作。
I managed to achieve this for most browsers through http://username:password@example.com, which is not an acceptable solution, as any1 can see the password, and it doesnt work in IE.
第一:我坚信,这是不可能不改变身份验证方法或有通过JS或通过链接(这需要发送传递给所有客户端)自动填充的密码,请纠正我,如果我错了
Firstly: I strongly believe that that is not possible without changing the Authentication Method or having the password autofilled in through js or through the link (which requires sending the pass to all clients) Please correct me if I am wrong?
其次:有跳过认证或具有以安全的方式自动填充的密码,而不改变第三方插件任何(半)安全的方法
Secondly: Is there any (semi-)secure way to skip the authentication or have the password autofilled in a secure way without changing the 3rd party plugin?
第三:如果这是不可能的,这将是建立认证的最好方法?我可以告诉搜索服务提供商,这样他就可以改变自己的API有REFFERENCE过滤器或类似的?
最好的问候,并感谢名单4任何帮助提前
页: http://www.gotomidtown.co.uk/ldc-search/
Thirdly: If this is not possible, what would be the best way to create authentication? What can I tell the search provider, so he can change his API to have a Refference Filter or similar? Best regards, and thanx 4 any help in advance Page: http://www.gotomidtown.co.uk/ldc-search/
推荐答案
使用HTTP基本身份验证,一个做请求必须提交用户名和密码进行身份验证。这意味着一个做请求需要知道用户名和密码。有没有办法让客户作出HTTP基本固定站点的请求也没有暴露用户凭据给他。即使可以从URL,从而从众目睽睽终端用户的隐藏它,它仍然是人谁在乎在正确的地方看(网络索取检验合格标签等)可见。
With HTTP Basic auth, the one doing the request has to submit a username and password to authenticate. Which means the one doing the request needs to know the username and password. There's no way to let the client make a request to an HTTP Basic secured site without also exposing the user credentials to him. Even if you can hide it from the URL and thereby from plain sight of the enduser, it's still visible for anybody who cares to look in the right places (network request inspection tab etc).
你想要的是第三方身份验证的一种形式,您的服务器与API提供者进行身份验证和接收时间限制的令牌。然后,用户发送到与该令牌的URL,该API供应商将接受并允许用户无需给予了不断的秘密认证一次。从本质上讲,你正在使用一次性密码这种方式。该API供应商将不得不支持,并明确实施这一机制。
What you want is a form of third-party auth where your server authenticates with the API provider and receives a time-limited token. You then send the user to a URL with that token, which the API provider will accept and allows the user to authenticate once without giving out the constant secret. Essentially you're using one-time passwords this way. The API provider will have to support and implement this mechanism explicitly.
这篇关于我怎么能自动验证一个不同的网站?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
