为我的服务器提供安全的Facebook验证 [英] Provide secure Facebook authentication with my Server

查看:163
本文介绍了为我的服务器提供安全的Facebook验证的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想使用REST Api构建一个小型移动应用程序(Android和iOS)和一个后端服务器。



我的应用程序用户(android或iOS)需要登录Facebook。我通过使用Facebooks mobile sdk来做到这一点。当登录成功时,Facebook sdk会返回一个authentificationToken,现在是用户智能手机。



想法如下:
每当我的应用程序需要一些数据,应用程序将通过HTTPS与我的服务器后端(REST)相关联。例如:该应用程序创建一个简单的HTTP GET并传递检索到的Facebook authenticationToken。我的服务器得到这个facebook的身份验证,并使用该令牌来确定用户是否通过身份验证,并检索Facebook个人资料信息(名字,姓氏等)。所以服务器也联系Facebook,并为HTTP GET请求生成个性化的响应。



我的问题是:


  1. 为每个REST API调用传递这个FacebookAuthentication令牌,以使服务器检索正确的相关的facebook用户,真的够了吗?

  2. 我使用HTTPS我猜,连接是否足够加密,对吗?

  3. 我想我需要一些签名机制,以便签署每个REST API调用(通过HTTPS),以确保只有从我的手机应用我会通过使用RSA与SHA-1签署任何REST API调用。但是这种方法的问题是:客户端需要将私钥存储在App中的某个位置(用于签名请求),并且服务器知道公钥(用于签名匹配)。它是否正确?如果是的话,我想这是一个很大的安全问题,因为一个移动应用程序(特别是android)可以被反编译以获取私钥。如何在我的应用程序中安全地存储这个私钥?是否有另一个签署系统可以推荐? Bt:你知道一个适用于iOS和Android的好的RSA库吗?


h2_lin>解决方案

1)是的。够了如果您的客户端(移动应用)具有令牌,则证明用户已通过身份验证。所以,你以这种方式认证了一个用户。但是,只能验证一个移动应用程序是不够的(关于这一点,我将在#3中进行说明)。



2)是的。它是加密的两种方式。



3)这是艰难的一个。这被称为远程认证。这有很多问题。



在您进入此方向之前,您需要问自己两个问题:





  • 我愿意投资多少?




      • 如果您是以非常有限的知识保护自己免受学生的伤害,谁可能会写另一个将使用您的服务器的移动应用程序,那么您的签名就可以正常使用。



      如果您只是保护一个更复杂的软件工程师(谁可以逆向工程您的应用程序) - 这还不够。该工程师可以从您的应用程序中提取私钥,并使用它在其应用程序中签名请求。



      您可以阅读有关远程认证的信息 here 这里



      可以保护您免受简单逆向工程的解决方案相当复杂。



      PS关于RSA库。



      看看这个Android:



      不对称加密



      这对于iOS



      使用公钥的RSA加密


      I would like to build a little mobile App (Android and iOS) and a little backend server with a REST Api.

      My app users (android or iOS) needs to login on facebook. I do that by using facebooks mobile sdk. When the login has been successful, facebook sdk will return a authentificationToken, that is now on the users smartphone.

      The idea is as follows: Whenever my app needs some data, the app will conntact to my server backend (REST) over HTTPS. For example: The app makes a simple HTTP GET and passes the retrieved Facebook authenticationToken. My Server gets this facebook authenticationToken and use this token to determine, if the user is a authenticated and to retrieve facebook profile information (firstname, lastname etc.). So the server contacts facebook too and generate the personalized response for the HTTP GET Request.

      My questions are:

      1. Is it really enough to pass this facebookAuthentication token for each REST API call, to make the server retrieve the correct associated facebook user?
      2. I use HTTPS, so I guess, the connection is encrypted enough, right?
      3. I guess I need some signature mechanism so sign each REST API call (over HTTPS) to ensure that the facebookAuthentication token has been sent only from my mobile App. I would do that by using RSA with SHA-1 to sign any REST API call. But the problem with this approach is: that the client need to stores the private key somewhere in the App (for signing requests) and the server knows the public key (for signature matching). Is this correct? If yes, I guess its a big security issue, since a mobile app (especially android) could be decompiled to get the private key. How do I store this private key securely in my app? Is there another system for signing that you can recommend?

      Bt: Do you know a good RSA lib for iOS and Android?

      解决方案

      1) Yes. It's enough. If your client (mobile app) has a token, it proves that a user authenticated to Facebook. So, you authenticated a user this way. However, it's not enough to authenticate a mobile app (about this, I will talk in #3).

      2) Yes. It's encrypted both ways.

      3) That's tough one. It's called remote attestation. There are A LOT of problems with this.

      Before you go into this direction, you need to ask yourself two questions

      • Who are you protecting against?

      • How much am I willing to invest?

      If you are protecting yourself against a student with very limited knowledge, who may write another mobile app which will use your server then you are fine with a signature.

      If you are protecting against just a little bit more sophisticated software engineer (who can reverse engineer your application) - it won't be enough. This engineer can extract a private key from your application and use it to sign requests in his application.

      You can read about remote attestation here and here.

      Solutions which can protect you from simple reverse engineering are quite complex.

      P.S. Regarding RSA library.

      Look at this for Android:

      Asymmetric Crypto on Android

      And this for iOS

      RSA Encryption using public key

      这篇关于为我的服务器提供安全的Facebook验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
移动开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆