当前位置: 文江博客话题详情

确定 oauth 回调中的用户 ID

发布于 2024-10-09 20:07:20 字数 555 浏览 0 评论 0原文

OAuth 过程是:

  1. 对于 OAuth 身份验证,应用程序(又名 OAuth 客户端)将用户重定向到 authorize_url

  2. 这会将用户重定向到 oauth 服务器的 Web 服务器,用户在其中授予 Web 应用程序访问他/她的帐户

  3. OAuth 服务器将用户重定向到由 应用程序(又名 oauth 客户端)。此时,回调来自 OAuth 服务器,因此没有会​​话 ID 或会话哈希。应用程序如何确定正在为哪个用户调用 post-oauth 回调?

我认为它的工作方式是:

  1. 当您将用户重定向到 authorize_url 时,您会附加某些内容 查询字符串的参数 ?id=xxx

  2. 当OAuth服务器重定向到由 客户端,HTTP 消息的参数之一将是 参数附加到步骤 1 中的查询字符串。

但是,这似乎不适用于我尝试连接的 OAuth 服务器。

有什么建议吗?

原文

The OAuth process is:

  1. For OAuth authentication, the app (a.k.a OAuth client) redirects the user to the
    authorize_url

  2. This redirects the user to oauth server's webserver, where the user grants the
    web app access to his/her account

  3. OAuth server redirects the user to the callback url provided by the
    application (a.k.a oauth client). At this point, the callback came from the OAuth server and hence does not have the session id or session hash. How is the application to determine which user the post-oauth callback is being called for?

I though the way this works is:

  1. When you redirect user to the authorize_url you append certain
    parameters to the query string ?id=xxx

  2. When the OAuth server redirects to the callback_url provided by the
    client, one of the parameters with the HTTP message will be the
    parameter appended to the query string in step 1.

However, this does not seem to work for the OAuth server I am trying to hook into.

Any suggestions?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

栀梦 2024-10-16 20:07:20

用户验证您的请求令牌(通过输入用户名和密码)后,您应该收到发回的 oauth_token 和 oauth_verifier 参数,并将其附加到回调中。

如果这有效,但您在回调中指定的其他参数未包含在回调中,则可能是提供商简单地忽略您在请求令牌步骤中发送的 oauth_callback。

如果是这种情况,提供者将引用预定义的回调,通常是您在获取消费者密钥和秘密时指定的回调。

OAuth 提供者可以忽略授权流程中发送的回调(签名目的除外)。一些提供商这样做是为了增加额外的安全层。

After the user has verified your request token (by entering username and password) you should get the oauth_token and oauth_verifier parameters sent back, appended to the callback.

If this works, but other parameters you specified in the callback are NOT included in the callback, then it may be the case that the provider simply ignores the oauth_callback you are sending in the request token step.

If this is the case, the provider will refer to predefined callback, usually one that you specified when acquiring consumer key and secret.

OAuth providers are allowed to ignore callbacks sent during the authorization flow (except for signing purposes). Some providers do this to add an extra layer of security.

回复 原文
深府石板幽径 2024-10-16 20:07:20

您可以为此使用状态参数,身份验证服务器也必须仅基于访问令牌提供用户详细信息服务。

You can use state parameter for that, also the auth server have to provide user details service based on only access token.

回复 原文
泪冰清 2024-10-16 20:07:20

“这不起作用”是什么意思?

服务器没有发回查询部分?您必须对提供给 oauth 服务器的回调 URL 中的状态进行编码。这可以在查询或路径部分中完成。我看不出为什么这不起作用?

也许您假设您有一个可以自动扩展状态的通用回调?据了解,情况并非如此。

编辑

我重新阅读了 Google 实施中的文档:

You can specify a value for oauth_callback in an OAuthGetRequestToken request, 
to determine where Google redirects the user after they authorize your access 
request. The callback URL can include query parameters. The redirect will include 
the same query parameters, as well as the authorized request token, which your
application must be able to parse.

For example, when supporting multiple languages, you can include 
a query parameter that identifies the version of the application that a user is
viewing. An oauth_callback value of "http://www.yoursite.com/Retrievetoken?Lang=de"
would result in the redirect 
"http://www.yoursite.com/Retrievetoken?Lang=de&oauth_token=DQAADKEDE". 
Parsing the token and the language parameter ensures that the user is 
redirected back to the correct version of the site.

所以(与我上面的陈述相矛盾)OAuth 服务器主动将信息 (&oauth_token=kkk) 附加到您的 URL。该令牌应该与您从“OAuthGetRequestTOken”收到的结果相同。这对你不起作用吗?

据我现在的了解,服务器应该从字面上复制您在callback_url中的所有内容添加您从服务调用中收到的令牌

您是否有确切您的内容的日志OAuth 服务器调用?服务提供商是谁?我无法想象他会缺少这个功能......

What do you mean by "this does not work"?

The server does not send the query part back? You must encode the state in the callback url you provide to the oauth server. This can be done in the query or in the path part. I see no reason why this is not working?

Maybe you assume that you have a single, generic callback that gets expanded with state automatically? As far is a know this is not the case.

EDIT

I re-read the docs at Google's implementation:

You can specify a value for oauth_callback in an OAuthGetRequestToken request, 
to determine where Google redirects the user after they authorize your access 
request. The callback URL can include query parameters. The redirect will include 
the same query parameters, as well as the authorized request token, which your
application must be able to parse.

For example, when supporting multiple languages, you can include 
a query parameter that identifies the version of the application that a user is
viewing. An oauth_callback value of "http://www.yoursite.com/Retrievetoken?Lang=de"
would result in the redirect 
"http://www.yoursite.com/Retrievetoken?Lang=de&oauth_token=DQAADKEDE". 
Parsing the token and the language parameter ensures that the user is 
redirected back to the correct version of the site.

SO (in contradiction to my statement above) the OAuth server actively appends information (&oauth_token=kkk) to your URL. THe token should be the same you received as result from "OAuthGetRequestTOken". THis does not work for you?

As far as i understand now the server should literally copy everything you have in the callback_url and add the token you received from the service call

Do you have a log of what exactly your OAuth server calls? Who is the service provider? I can't imagine that he's missing this feature...

回复 原文
裂开嘴轻声笑有多痛 2024-10-16 20:07:20

我不明白您想要将 ID 从 OAuth 提供者发送到 OAuth 使用者的原因。您能多解释一下为什么需要这样做吗?

如果您有与您的用户关联的会话 cookie,您将知道哪个用户会返回给您(重定向后),因为您可以与他进行会话 - 他将通过浏览器重定向并返回您的 cookie。

即使 OAuthProvider 向您发送其内部用户 ID(我认为这是不必要的,而且不太可能),您将如何处理它 - 它不会与您的内部网站用户 ID 匹配,它与 OAuthProvider 的用户 ID 完全不同。提供商网站...或者也许我无法很好地回答您的问题...

致以诚挚的问候

I cannot see the reason that you'd like to send ID from OAuth Provider to OAuth Consumer. Can you explain a little bit more why you need to do this?

If you have session cookie associated with your users, you will know which user is coming back to you (after redirect), because you can have a session with him - he will be redirected through the browser and return your cookie.

Even if the OAuthProvider send you its internal user-id (which is unnecessary and very unlikely I think), what are you going to do with it - it will not match your internal web site user id, it's totally different user-id for the provider site... or maybe I cannot get your question very well....

Best regards

回复 原文
~没有更多了~

关于作者

栖迟

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

花开柳相依

文章 0 评论 0

zyhello

文章 0 评论 0

故友

文章 0 评论 0

对风讲故事

文章 0 评论 0

Oo萌小芽oO

文章 0 评论 0

梦明

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文