在两个站点之间安全地传递用户

发布于 2024-11-05 04:49:00 字数 930 浏览 2 评论 0原文

我有我的网站“A”。我将与网站“B”签订一份业务合同,以便当用户在“B”上执行许多与“A”相关的操作之一时,网站“B”(将有许多此类网站)的用户可以将其用户重定向到我的网站。我可以强制直接或通过“B”用户的浏览器将任何信息从“B”传递到“A”,但我(即站点 A)需要验证它们确实来自“B”并自动记录它们进入站点“A”。

知道 OAuth 在这方面做得很好 - 但仅限于“用户”级别。这里发生的是站点 A 和站点 B 之间的业务合同 - 并且无需为“B”的每个用户进行整个 OAuth 跳圈带来不便...

另请注意,站点“B”用户将被呈现他们需要点击一个表格才能将这些操作传输到我的网站“A”。无论传送给“B”用户的是什么秘密/身份验证数据(如果有),他们都可以看到(并篡改)。我的网站“A”必须防止这种情况发生。

这很接近:在网站之间安全地传输用户

此处列出的选项:

  1. 在两端通过 HTTPS 编写 Web 服务调用,以检索用户详细信息,并且仅适用于特定的登录对。
  2. 看一下“传递身份验证”,它是一个允许用户身份从一个系统传递到另一个系统的概念。
  3. 我现在能想到的最好的办法就是传递用户 ID 的哈希值,或者如果这让您担心的话,传递一些其他用户数据的哈希值。
  4. 站点 B 可以拥有允许站点 A 为用户创建会话的 Web 服务。

但我想知道自从一年半前问这个问题以来,人们是否有不同的看法。

我的问题:

  1. 我应该如何实施?
  2. 任何现成的 php 实现可以实现这一点吗?

[我已经实现了类似的东西,结果证明这是一个有缺陷的机制,所以我很好奇正确的机制是什么。]

I have my site 'A'. I will have a business contract with site 'B' to enable users of site 'B' (there will be many such sites) to redirect their users to my site when the users do one of many 'A' related actions on 'B'. I can mandate passing of whatever information from 'B' to 'A' directly or through the browser of the user of 'B', but I (ie site A) NEED to validate that they indeed came from 'B' and automatically log them in into site 'A'.

I KNOW that OAuth does this well - but ONLY at the "user" level. What's happening here is a business contract between site A and site B - and there is no need of inconveniencing every user of 'B' to do the whole OAuth hoop-jumping...

Please also note that site 'B' users will be presented with a FORM that they need to click on for those actions to be transmitted to my site 'A'. Whatever secret / authentication data (if any) is being communicated to the 'B' user can be seen (and tampered) by them. My site 'A' has to protect against that.

This is close: Securely Transferring Users Between Web Sites .

Options listed there:

  1. Write a web-service call over HTTPS, at both ends, to retrieve the users details, and that only works for a specific login-pair.
  2. Take a look at "Pass-through Authentication," its a concept that allows a user's identity to be passed from one system to another.
  3. The best thing I can think of right now is passing a HASH of the user ID, or if that makes you worry, the hash of some other user data.
  4. Site B could have a web-service that allows Site A to create a session for the user.

But I'm wondering if ppl have different opinions since the Q was asked a year and a half back.

My questions:

  1. How should i implement this?
  2. Any readymade php implementations which enable this?

[I've already implemented something like this which turned out to be a flawed mechanism, so I'm curious what the correct mechanism would be.]

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

无声情话 2024-11-12 04:49:00

这些网站(即银行与博客)的安全级别是什么?对于非常简单的情况,站点 B 可以缓存 FORM 数据 CHECKSUM。当用户重定向到 A 时,A 可以直接向 B 查询校验和并验证数据。可以在站点之间设置基于 IP 或基于密钥的身份验证以增强安全性。

如果您需要更高的安全性,也许 OAuth 仍然是最佳选择。请记住,用户已登录到 B,因此他们无需输入任何内容。他们提交的表单实际上可以同时设置 OAuth,这样当用户重定向到 A 时,A 实际上获得了 Token,然后可以通过 OAuth 从 B 检索数据(从而验证数据来自 B)。

除了已经提到的 Shibboleth 之外,还有一个兼容的标准SAML 2.0 您可能会感兴趣,并且这两个协议的 PHP 实现非常好 SimpleSAMLphp 作为现成的 Web 服务以及用于自定义应用程序的库提供。设置这样一个 SSO 联盟的学习曲线并不太陡,而且 SimpleSAMLphp 的文档也非常完善。

但由于这样的 SSO 需要所有 B 都使用 SAML/Shibboleth,并在各方之间建立和维护联合元数据,因此 OAuth 可能仍然是您更好的选择。

What is the security level of these sites (i.e banking vs blogs)? For really simple cases the site B can cache the FORM data CHECKSUM. And when user is redirected to A, then A can query B directly for the checksum and validate the data. IP or key-based authentication between the sites can be set up for added security.

If you require more security, perhaps OAuth is still the best option. Keep in mind that the users are already logged in to B, so that they will not need to enter anything. And the form they submit, could actually set up OAuth at the same time, so that when user is redirected to A, A actually gets the Token and then can retrieve data from B over OAuth (thus validating that data came from B).

In addition to already mentioned Shibboleth, there is a compatible standard SAML 2.0 which might interest you and a very good PHP implementation of both of these protocols SimpleSAMLphp which comes as ready made web service as well as libraries to be used for custom applications. Learning curve of setting up such a SSO federation was not too steep and the SimpleSAMLphp is pretty well docmented.

But as such an SSO requires SAML/Shibboleth by all of the B-s and setting up and maintaining the federation metadata between the parties, OAuth might still be better choice for you.

跨年 2024-11-12 04:49:00

您可以使用单点登录系统,例如 Shibboleth

Shibboleth 系统是一个基于标准的开源软件包,用于跨组织边界或组织边界内的 Web 单点登录。它允许网站以保护隐私的方式为个人访问受保护的在线资源做出明智的授权决策。

如果这对您来说太过分了,只需通过 HTTPS API 通过每个用户唯一的随机散列授予两个站点对彼此站点用户数据的访问权限,该随机散列只需在单击“按钮”时传递即可。

You could use a single-sign-on system like Shibboleth.

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

If that's overkill for you, simply grant both sites access to each other site's user data through a HTTPS API via a random hash unique for each user which is simply passed when clicking "the button".

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文