当前位置: 文江博客话题详情

存储 OpenID 端点、OP-本地标识符和领域?

发布于 2024-12-02 17:23:10 字数 1212 浏览 1 评论 0原文

我将创建一个数据库表来存储 OpenID 登录信息。除了声明标识符之外,我想我还会包含以下三列:

你存储这些字段吗?

您认为存储这些字段合理吗?,原因如下:

  • OpenID 端点:这样您就知道哪个 OpenID 提供商对用户进行了身份验证。也许将来您会发现某个提供商不太值得信赖,然后我认为最好知道 someuser.example.com 是否经过该提供商的身份验证。

  • OP 本地标识符:我认为它可以让我跟踪用户,即使她更改了用户提供的标识符。 (例如,如果她的用户提供的标识符是 example.com/username,但她将其更改为 Somethingelse.com/username,那么我认为 OP-Local 标识符将保持不变(假设用户继续使用相同的 OpenID 提供程序) .

  • 。我正在构建一个多租户 Web 应用程序,如果我存储领域,就可以更容易地知道两个看似不同的 OpenID 标识符是否可能代表同一个人 (Google 使用定向身份:您声明的 ID 因领域而异,所以是一样的。用户可以有许多不同的声明 ID。)

  • 版本:如果将来出现某些安全问题,使用某些 OpenID 版本,那么最好知道哪些用户可能会受到影响。

  • 领域和端点,用于统计收集目的。

(您能想到我应该存储的其他一些与 OpenID 相关的值吗?例如,我想识别提供商。为此,存储端点就足够了?我不需要存储提供商的名称?)

原文

I'm about to create a datatbase table to store OpenID logins. I think I will include these three columns, in addition to the Claimed Identifier:

Do you store these fields?

Do you think it's reasonable to store these fields?, for the following reasons:

  • The OpenID endpoint: So you know which OpenID Provider authenticated the user. Perhaps in the future you'll find out that one provider is not so very trustworthy, and then I think it's good to know if someuser.example.com was authenticated by that provider.

  • The OP-Local Identifier: I think it allows me to keep track of the user, even if she changes her User-Supplied Identifier. (For example, if her User-Supplied Identifier is example.com/username, but she changes it to somewhereelse.com/username, then I think the OP-Local Identifier will remain unchanged (assuming the user continues using the same OpenID Provider).

  • The realm: I'm building a multitenant webapp, and if I store the realm, it'll be easier to know if two seemingly different OpenID identifiers might represent the same person. (Google uses directed identities: your Claimed ID varies by realm. So the same user can have many different Claimed IDs.)

  • The version: In case some security issue appears in the future, with some OpenID version, then it might be good to know which users might be affected.

  • The realm and endpoint, for statistics gathering purposes.

(Can you think of some other OpenID related value I ought to store? For example, I want to identify provider. To do this, it suffice to store the endpoint? I don't need to store the provider's name?)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

四叶草在未来唯美盛开 2024-12-09 17:23:10
  • OpenID 端点:值得信赖吗?提供商如何值得信赖(或不值得信赖)?它不会断言任何关于它不拥有的数据的信息,因此它不可能撒谎。它的行为是否如您所期望的那样是另一回事。此外,出于某种原因,提供者可能为每个用户拥有不同的端点(例如,/server-username)。
  • OP-本地标识符:你不应该(因为规范是这么说的),但是,是的,在极少数情况下,它会成功。然而,改变您的提供者比改变您的身份更常见。如果您确实想更改身份,更改提供商(或注册不同的帐户)并不难。一种有用的情况是当用户丢失承载所声称身份的域名时。然而,提供商更有可能停止提供其服务,您也需要为此做好准备(例如,通过为单个用户存储多个 ID,如 SO)。如果您做好了准备,那么另一种机制可以解决唯一可以提供帮助的情况。
  • The Realm:我不知道这对你有什么帮助。从 Google 中,您可以获得两个完全独立的标识符,不可能将它们关联起来,除非您需要电子邮件地址(那么为什么需要该领域呢?)。
  • 版本:不太可能,并且版本可能会随着新请求而更改(因为提供程序可能会更新)。然而,如果您确实想知道哪些用户可能会受到影响,并希望他们通过在您的网站上阅读相关内容来获得任何信息,那么是的,它可能会很有用。

您说过您想要识别提供者。但是,正如我上面提到的,如果提供商采取措施避免这种情况,则不可能这样做。例如,您可以存储它的域名,但这并不完美,因为同一域下可能有其他提供商(例如,几个人在共享主机上托管自己的提供商)。

总之,我的观点是,出于上述原因,存储这些是一个坏主意。

  • The OpenID endpoint: Trustworthy? How is a provider trustworthy (or not)? It isn't asserting anything about the data it doesn't own, so it can't possibly lie. Whether it behaves as you expect it to is another thing whatsoever. Besides, a provider could, for some reason, have different endpoints for each user (for example, /server-username).
  • The OP-Local Identifier: You shouldn't (because the specification says so), but yes, in a very small number of cases, it would be successful. However, it is much more often to change your provider than to change your identity. And if you really want to change your identity, changing the provider (or registering a different account) isn't that hard. One case where it would help would be when the user would lose the domain name that hosts the claimed identity. However, it is much more likely for the provider to stop offering it's services, and you also need to prepare for that (for example, by offering to store multiple IDs for a single user, like SO). And if you're prepared for it, the single case where it would help is covered by another mechanism.
  • The realm: I don't see how would that help you. From Google, you get two completely separate identifiers, with no possibility to correlate them, unless you require an email address (and why would you need the realm, then?).
  • The version: Unlikely, and the version may change with the new request (because a provider might update). Nevertheless, if you really want to know which of your users might be affected, and somehow expect them to gain anything by reading about that on your website, then yes, it could be useful.

You've said that you want to identify the provider. However, as I've mentioned above, it's not possible to do so if the provider takes steps to avoid that. You could, for example, store it's domain name, but that's not perfect, since there might be other providers under the same domain (for example, several people hosting their own providers on a shared hosting).

In summary, my opinion is that storing these is a bad idea, for reasons stated above.

回复 原文
~没有更多了~

关于作者

樱花坊

暂无简介

0 文章
0 评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文