如何处理 oauth 提供者的用户会话?
我基于 Jersey 最终确定了我的 OAuth 1.0a 提供程序,但我面临着一个小问题,我不知道如何处理
在 OAuth 舞蹈期间,用户必须使用他的凭据(登录名/密码)进行身份验证
通过我的实现,目前,他每次都必须进行身份验证
在授权步骤期间,发送到 Web 服务的唯一令牌是与消费者相关的请求令牌
Jersey 不管理会话
如果用户已经是,我怎样才能避免要求身份验证认证?
谢谢
I finalize my OAuth 1.0a provider based on Jersey but I'm facing a small issue I don't know how to deal with
During the OAuth dance, the user has to authenticate with his credentials (login/password)
With my implementation, for the moment, he has to authenticate every time
During the authorization step, the only token which is sent to the web service is the request token related to the consumer
Jersey doesn't manage session
How can I avoid to ask authentication if the user is already authenticate?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用 oAuth 提供程序的客户端应用程序应维护会话中的状态。至少它必须保留访问令牌,因为访问用户的数据需要它。有效访问令牌的存在可以用作用户已通过身份验证的指示符。
The client application which uses your oAuth provider should maintain state in the session. As a minimum it has to keep the access token as that will be needed to access the user's data. The presence of a valid access token could be used as an indicator that the user is authenticated.
似乎当用户第一次对 Web 服务进行身份验证时,Web 服务应该提供一个登录 cookie,每次用户想要授权新客户端时都会验证该登录 cookie,
您可以评估此方法吗?
现在我需要找到如何用球衣处理饼干......
it seems that when the user first authenticates to the web service, the web service should provide a login cookie which is validated each time the user wants to authorize a new client
could you assess this method?
now I need to find how handle cookie with jersey...