Securly存储OpenID标识符和OAuth令牌 [英] Securly Storing OpenID identifiers and OAuth tokens

问题描述

我创建了一个网络应用程序，将使用OpenID登录和OAuth令牌与Youtube。我目前正在以数据库中的纯文本存储OpenID身份和OAuth令牌/令牌密钥。

I am creating a web app that will use OpenID logins and OAuth tokens with Youtube. I am currently storing the OpenID identity and OAuth token/token secret in plain text in the database.

将这些值存储为纯文本是不合适的吗？我可以使用单向加密的OpenID标识符，但我不知道是否有必要。对于OAuth令牌，我需要使用双向加密，因为我的应用程序依赖于为某些用途获取会话令牌。

Is it inappropriate to store these values as plain text? I could use a one-way encryption for the OpenID identifier but I don't know if that is necessary. For the OAuth tokens, I would need to use a two-way encryption as my app relies on getting the session token for some uses.

是否需要加密OpenID身份？

Is it necessary to encrypt the OpenID identity? Could someone use it to gain access to a user's account?

推荐答案

首先，有一个注册的应用程序 consumer_key 和 consumer_secret 。

First, there is a registered application that has consumer_key and consumer_secret.

当用户验证并允许应用程序，您回到：
an access_token 被认为是用户的密码，将允许JUST您的应用程序代表用户采取行动。

When users authenticate and "allow" your registered application, you get back: an access_token that is considered the user's "password" and would allow JUST YOUR application to act on the user's behalf.

所以，只要用户的 access_token 从你的数据库就不会有什么帮助，如果他们也没有 consumer_key 和 consumer_secret 即可完成访问。

So, getting just the user's access_token from your database won't help much if they don't also have the consumer_key and consumer_secret for complete access.

4个参数。在存储之前加密这4个参数并在响应之前解密这些参数是很聪明的。

The service provider compares all 4 parameters on request. It would be smart to encrypt these 4 parameters before storage and decrypt them before response.

这只是当你需要更新或者代替用户的资源所有者的用户。要让用户登录您的网站，请使用会话。

This is just when you need to update or make changes to the user's resource owner on behalf of a user. To keep a user logged-in on your site, use sessions.

这篇关于Securly存储OpenID标识符和OAuth令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！