使用 Facebook OAuth 保护 REST API
我正在构建一个应用程序/API,允许用户使用 Facebook、Twitter 或 Google 登录。我想知道允许这些用户使用同一帐户登录 API 的最佳实践是什么。
- 我的一些想法是将标头中的身份验证令牌/cookie 传递给每个请求的 API,并使用它在后端进行身份验证。
- 运行我自己的 OAuth 设置,让用户通过后端进行一次身份验证,以获取我的 OAuth 令牌并从那时起使用这些令牌。
I am building a app/API that allows user to login with Facebook, Twitter or Google. I am wondering what are the best practices in allowing those user to use the same account to login to the API.
- A couple Ideas that I have had is pass the auth token/cookie in a header to the API for every request and use that to authenticate on the backend.
- Run my own OAuth setup and make the user authenticate once with the back end to get my OAuth token and use those from then on.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我正在做同样的事情,我的解决方案是匹配您从这些各自的 API 获得的电子邮件地址。
对于 Facebook,您需要获得最终用户的特殊许可才能在其中注册电子邮件地址。您可以通过将
&scope=email
添加到第一个 oauth 请求来实现此目的。缺点是您需要从最终用户那里获得此许可,他们可能会拒绝。另一个缺点是用户需要对 Google、Facebook 和 Twitter 使用相同的电子邮件地址。
一个优点是用户记录会自动合并,因此如果用户第一次通过 Google 登录,第二次通过 Facebook 登录,则可以直接访问所有数据。
另一种方法是手动合并他们的数据,让他们在已经通过 Facebook 登录的情况下登录 Google。然后您可以断定他们是同一用户,即使他们使用不同的电子邮件地址。但这是一种更乏味的方法,因为您仍然需要合并两个帐户中应用程序的用户数据。
I am doing the same thing and my solution is to match the email addresses that you get from these respective APIs.
For Facebook, you need special permission from the end user to get the email address registered there. You do this by adding
&scope=email
to the first oauth request.A disadvantage is that you need to get this permission from the end user and they may decline. Another disadvantage is that users need to use the same email addresses for Google, Facebook and Twitter.
An advantage is that user records are merged automatically, so users can directly access all their data if they logged in the first time through Google, and the second time through Facebook.
Another approach would be to manually merge their data by making them log in to Google when they are already logged in through Facebook. Then you can conclude that they are the same user, even when they use different email addresses for both. But this is a more tedious approach, as you still need to merge the app's user data from both accounts.
你的第一个解决方案正是我的做法。由于我的所有其余服务都是无状态的,因此访问令牌位于标头中,并由 Spring Security 身份验证过滤器对每个请求进行解析。我使用带有 spring-security-oauth 插件的 grails 服务器。我们还运营一个网站,允许使用会话 cookie 进行基于浏览器的访问。
Your first solution is exactly the way I do it. As all my rest services are stateless, the access token goes in the header and is parsed by spring security authentication filters on every request. I use a grails sever with the spring-security-oauth plugin. We also run a website which allows for using session cookies for browser based access.