AppEngine和非AppEngine子域上的OpenID身份验证 [英] OpenID authentication on AppEngine and non-AppEngine subdomains
问题描述
其上的Ajax应用程序允许用户处理先前上传的数据。要做到这一点,它应该使用在其他子域上运行的web服务,如 service.example.com 。 Web服务并不是在AppEngine上运行,而是在我们的服务上运行,它的CPU很重,并且建立在其他技术上。它需要下载主应用程序上的数据 - 但下载服务 - 就像主应用程序上的所有内容 - 位于身份验证墙后面。
我可以通过编程永远允许服务来下载它希望的wharever,但我认为这可能会变成一个主要的安全问题。
如何重新使用OpenID身份验证令牌来允许它(服务)作为认证用户出现在主应用程序中,以便它可以下载数据?或者如果我可以做到这一点,那么完成我打算做的事情的最佳方式是什么? 你不能真的重用认证令牌。你应该使用的东西类似于OAuth,尽管由于你控制了两端,你可以使它变得更简单一些:
- 生成一个共享密钥,可由main.example.com和service.example.com访问
- 当用户首次访问service.example.com(无身份验证cookie)时,将其重定向到main.example .com / auth?continue = original_url(其中original_url是他们尝试访问的URL)
- 当您收到main.example.com/auth请求时,首先将用户登录到定期的方式(如果他们还没有)。然后,获取他们的用户ID或其他相关凭据,并从他们那里生成一个 HMAC ,使用您在步骤1中建立共享密钥。将用户重定向到service.example.com/finish_auth,传递计算出的HMAC,身份验证详细信息(如用户标识)以及您传递的任何参数(如continue URL)。
- 当您收到对service.example.com/finish_auth的请求时,请按上述计算HMAC,并检查它是否与传入的匹配。如果是这样,你知道这个请求是合法的。在service.example.com上设置一个包含任何相关详细信息的身份验证cookie,并将用户重定向到其原始URL。
复杂,但实施起来相当简单。这是在相互信任的系统之间传递证书的标准方式,与许多SSO系统使用的方式不同。
I have a main website running on AppEngine. It's on a subdomain like main.example.com. This main application is a content portal for our customers. It offers an Ajax application built on YUI. Customers can upload data to it. Users authenticate using Federated Login.
The Ajax application on it allows users to process the data previously uploaded. To do it it should use an webservice running on other subdomain like service.example.com. The webservice does not run on AppEngine but on our services - it's CPU heavy and built on other set of technologies. It would need to download the data on main application - but the downloading service - like everything on the main application - is behind the authentication wall.
I could programatically always allow the service to download wharever it wishes but I think this can turn into a major security problem.
How can I reuse the OpenID authentication "token" to allow it (the service) to appears to the main application as the authenticated user so it can download data? Or If I can do this what would be the best way to accomplish what I intend to do?
You can't really reuse the authentication token. What you should use is something akin to OAuth, though since you control both ends you can make it somewhat simpler:
- Generate a shared secret, accessible by both main.example.com and service.example.com
- When a user accesses service.example.com for the first time (no authentication cookie), redirect them to main.example.com/auth?continue=original_url (where original_url is the URL they attempted to access)
- When you receive a request to main.example.com/auth, first log the user in the regular way (if they're not already). Then, take their user ID or other relevant credentials, and generate an HMAC from them, using the shared secret you established in step 1. Redirect the user to service.example.com/finish_auth, passing the computed HMAC, the authentication details such as user ID, and any parameters you were passed in such as the continue URL.
- When you receive a request to service.example.com/finish_auth, compute the HMAC as above, and check it matches the passed in one. If it does, you know the request is a legitimate one. Set an authentication cookie on service.example.com containing any relevant details, and redirect the user back to their original URL.
This sounds complicated, but it's fairly straightforward in implementation. This is a standard way to 'pass' credentials between mutually trusting systems, and it's not unlike what a lot of SSO systems use.
这篇关于AppEngine和非AppEngine子域上的OpenID身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
