使用Facebook SSO作为唯一的登录机制,使用iOS客户端对REST API进行身份验证 [英] Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
问题描述
我打算使用Facebook作为我正在建立的应用程序的唯一登录机制,并需要对设计的一些反馈。在这里 -
I'm planning to use Facebook as the only sign-on mechanism for an application that I'm building and need some feedback on the design. Here it goes -
用户打开应用程序并显示注册屏幕。 Facebook授权流程开始,让我们假设成功,用户已成功注册自己。成功后,应用程序调用Facebook图形API,并获取用户的名字,姓氏,电子邮件,出生日期等。使用该数据,应用程序会调用名为 RegisterUser(string Fullname,string FirstName,string LastName ...)在数据库中创建用户记录。
User opens the app and is presented with a register screen. The facebook authorization flow starts and let's assume it succeeded and the user has successfully registered himself. Upon success, the app calls the Facebook graph API and gets the user's firstname, lastname, email, date of birth etc. With this data, the app then calls a web service method called RegisterUser(string Fullname, string FirstName, string LastName ...) which creates the user record in the database.
现在对于API的后续调用,我需要验证请求是否真正从我的应用程序进入(不一定是特定的用户)。我查看了S3 REST API,似乎每个请求都有一个称为 Authorization 的HTTP头,客户端通过附加一些其他HTTP头(如Date)创建,方法,请求数据,用客户端的私钥签名并计算其base64编码值。这是在服务器端进行验证以验证客户端。
Now for subsequent calls to the API, I need to authenticate that the request is really coming in from my application (not necessarily a particular user). I've looked up the S3 REST API and it seems that with every request there's a HTTP header called Authorization that the client creates by appending a bunch of other HTTP Headers like Date, Method, Request data, signing it with the client's private key and computing its base64 encoded value. This is verified on the server side to authenticate the client.
现在,我很乐意实现所有这一切,但有几个问题:
Now, I'm comfortable implementing all this, but a few questions:
- 如果我有私钥,可以将其作为iOS应用程序本身的一部分安全吗?有人可以从iOS应用程序二进制文件中提取密钥吗?如果是这样,我该如何处理?
- 您对此设计有何其他变化?
谢谢,
Teja。
Thanks,
Teja.
推荐答案
确保将单一散列算法应用于base64编码的值 - base64是一种双向编码,所以你不希望窃听者反向工程你的私钥。 Amazon S3在执行base64之前执行SHA-1。
Make sure you apply a one-way hashing algorithm to the value to base64 encode - base64 is a two-way encoding, so you don't want eavesdroppers reverse engineering your private key from that. Amazon S3 does this with performing a SHA-1 before doing the base64.
与所有(AFAIK?)编译的二进制文件一样,您的应用程序不应该被反编译。
As with all (AFAIK?) compiled binaries, your app shouldn't be able to be decompiled.
这篇关于使用Facebook SSO作为唯一的登录机制,使用iOS客户端对REST API进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
