与OAuth2鉴定为一个应用程序*和*网站 [英] Authenticating with OAuth2 for an app *and* a website

问题描述

我正在开发一个通过一个应用程序，主要是访问一个网站，我想使用OAuth2进行用户注册和认证。因为它是一个Android应用程序，我将开始使用谷歌的OAuth2的东西，因为它提供了在Android上一个体面的用户界面。

I'm developing a website that is primarily accessed via an app, and I want to use OAuth2 for user registration and authentication. Since it is an Android app I will start using Google's OAuth2 stuff, since it provides a decent UI on Android.

谷歌指出，你可以选择使用谷歌的认证系统，以此来为您的应用外包用户身份验证。这样也可以不再需要创建，维护，并确保用户名和密码存储区。这是我想做的事情。 然而的，当我经过他们所有的例子和诸如此类的东西，我只能找到的东西大约有一个网站的或的一个应用程序验证对谷歌的服务用户。

Google states that "You can choose to use Google's authentication system as a way to outsource user authentication for your application. This can remove the need to create, maintain, and secure a username and password store." which is what I want to do. However when I go through all their examples and whatnot, I can only find stuff about having a website or an app authenticate a user against Google's services.

事实上，当我去登记自己的应用程序（客户）与谷歌的OAuth2有对网站的客户端选项和安装客户端（即手机应用程序），但不能同时使用。我可以创建两个单独的客户端，但我读了OAuth2草案，我认为会有一个问题，我现在会解释。

And indeed, when I go to register my app ("client") with Google's OAuth2 there are options for website clients and "installed" clients (i.e. a mobile app) but not both. I can create two separate clients but I read the OAuth2 draft and I think there will be a problem, which I will now explain.

下面是我怎么也想象它的工作：

Here's how I did envisage it working:

1. 在用户要求的MyApp来访问自己的私人数据。
2. 在应用程序使用Android的的AccountManager 类要求谷歌的API的访问令牌。
3. Android的说，用户的应用程序MyApp的要访问您的谷歌基本信息。这是正确的？
4. 用户回答是肯定的。
5. 的AccountManager 连接到使用存储在手机上的凭据谷歌的OAuth2服务器，并要求访问令牌。
6. 在访问令牌（它遵循的绿线）被返回。
7. 的AccountManager 返回访问令牌MyApp的。
8. MyApp的发送请求到的MySite为用户的私人数据，包括访问令牌。
9. MySite的需要验证的用户，使用访问令牌。它会验证令牌描述这里，与谷歌 - 谷歌，是这个道理有效吗？<。 / LI>
10. 现在，我的需要的发生的是，谷歌说是的，谁给了你确实是该用户。，但我认为会真正发生（基于OAuth2草案谷歌的文档）是，它会说不行！那令牌仅适用于MyApp的，而你mysite的。GTFO！。

1. User asks MyApp to access his private data.
2. App uses Android's AccountManager class to request an access token for Google's APIs.
3. Android says to user "The app 'MyApp' wants access to your Basic Information on Google. Is this ok?"
4. User says yes.
5. AccountManager connects to Google's OAuth2 server using the credentials stored on the phone, and asks for an access token.
6. Access token (which follows the green lines) is returned.
7. AccountManager returns the access token to MyApp.
8. MyApp sends a request to MySite for the user's private data, including the access token.
9. MySite needs to verify the user, using the access token. It validates the token as described here, with Google - "Google, is this token valid?".
10. Now, what I want to happen is that Google says "Yes, whoever gave it to you is indeed that user.", but what I think will actually happen (based on the OAuth2 draft and Google's documentation) is that it will say "No way! That token is only valid for MyApp, and you're MySite. GTFO!".

所以，我应该怎么办呢？请不要说使用OpenID的或不使用OAuth2或其他类似的无用的答案。哦，我真的想继续使用漂亮的的AccountManager 的用户界面，而不是糟糕的弹出的WebView 取值

So how should I do this? And PLEASE don't say "Use OpenID" or "Don't use OAuth2" or other similarly unhelpful answers. Oh and I would really like to keep using the nice AccountManager UI rather than crappy popup WebViews

（我会报到，如果它的工作原理！）从尼古拉临时的答案是应该的实际工作，而谷歌的服务器不会关心那里的访问令牌是从哪里来的。似乎有点不安全给我，但我会看它是否有效！

Provisional answer (I will report back if it works!) from Nikolay is that it should actually work, and Google's servers won't care where the access token came from. Seems a bit insecure to me, but I will see if it works!

我实现了这个模式与Facebook，而不是谷歌和它完全适用。该OAuth2服务器并不关心访问令牌来的。至少Facebook的没有，所以我认为谷歌的确实没有。

I implemented this pattern with Facebook instead of Google and it totally works. The OAuth2 server doesn't care where the access token comes from. At least Facebook's doesn't, so I assume Google's doesn't either.

在光的，这是一个非常非常糟糕的主意来存储访问令牌！但是，我们也不希望有打的Facebook /谷歌的服务器检查身份验证的每次的，因为它要求将放缓都记录下来。也许最好的办法是添加你的手出来时，他们的访问令牌验证的额外验证cookie为您的网站，而是一个更简单的方法就是要像对待密码的访问令牌并存储它的哈希值。你不需要盐，要么因为访问令牌是真的很长。因此，上述成为像步骤：

In light of that it is a very very bad idea to store access tokens! But we also don't want to have to hit Facebook/Google's servers to check authentication for every request since it will slow everything down. Probably the best thing is to add an additional authentication cookie for your site that you hand out when their access token is validated, but a simpler way is just to treat the access token like a password and store a hash of it. You don't need to salt it either since access tokens are really really long. So the steps above become something like:

9。 MySite的需要验证用户，使用访问令牌。首先，它会检查哈希有效的访问令牌的缓存。如果令牌的哈希是发现有它知道用户通过验证。否则，它与谷歌检查这里的描述，与谷歌 - 谷歌，是这个道理有效吗？。

9. MySite needs to verify the user, using the access token. First it checks its cache of hashed valid access tokens. If the hash of the token is found there it knows the user is authenticated. Otherwise it checks with Google as described here, with Google - "Google, is this token valid?".

10。如果谷歌表示，访问令牌是无效的，我们告诉给GTFO用户。否则，谷歌表示，是的，这是一个有效的用户，我们再检查我们的注册用户数据库。如果找不到，谷歌的用户名（或者如果使用商标标识），我们可以创建一个新用户。然后，我们缓存访问令牌的散列值。

10. If Google says the access token is invalid, we tell the user to GTFO. Otherwise Google says "Yes that is a valid user" and we then check our registered user database. If that Google username (or Facebook id if using Facebook) is not found we can create a new user. Then we cache the hashed value of the access token.

推荐答案

您可能需要OpenID的连接，它使用OAuth的令牌进行身份验证。至于的AccountManager ，目前OAuth的支持是一个有点哈克，新的谷歌播放服务，设置为释放'很快'应该有希望加以改善。在这里看到一个演示。

You probably need OpenID Connect, which uses OAuth tokens for authentication. As for AccountManager, the current OAuth support is a bit hacky, the new Google Play Services, set to be released 'soon' should hopefully make this better. See here for a demo.

这篇关于与OAuth2鉴定为一个应用程序*和*网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！