验证Gmail OAuth2令牌和客户端欺骗
[英]Verify Gmail OAuth2 token and client spoof
问题描述
I'm following THIS example in order to allow the user to log in with his Google account in a remote server. 
我遵循此示例,以便允许用户使用他的Google帐户在远程服务器上登录。
Basically I get the access_token in the client and send it to my server. 基本上,我在客户端中获取了access_token并将其发送到我的服务器。 In the server I check the response of 在服务器中,我检查的响应
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XXXX
getting the email of the user and authenticating it in the server. 获取用户的电子邮件并在服务器中进行身份验证。
But I have a security question, what if a malicious developer create an app that allows Gmail login, store the users' access token and use them to spoof their identity in my server? 但是我有一个安全性问题,如果恶意开发人员创建了一个允许Gmail登录的应用程序,存储了用户的访问令牌并使用它们来欺骗我的服务器中的身份怎么办? How can I avoid that? 我该如何避免呢? Is there some way of validate the signature of the application that obtained the access token? 有什么方法可以验证获取访问令牌的应用程序的签名吗?
The token info returned is like: 返回的令牌信息如下:
{
"issued_to": "XXXXXXXXXXXXXX.apps.googleusercontent.com",
"audience": "XXXXXXXXXX.apps.googleusercontent.com",
"user_id": "15285874285447",
"scope": "https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email",
"expires_in": 3562,
"email": "user@mail.com",
"verified_email": true,
"access_type": "online"
}
So probably the fields issued_to or audience are important for that validation? 因此,对于发出的验证,也许issue_to或Audience字段很重要?
EDIT: I'm not meaning a man in the middle attack. 编辑:我不是在中间攻击的意思。 For example imagine I create a game called VirusX that allows gmail login. 例如,假设我创建了一个名为VirusX的游戏,该游戏允许gmail登录。 If no extra validation is made I could save the access_tokens and use them to access to another apps using gmail login. 如果没有进行额外的验证,我可以保存access_tokens并使用它们通过gmail登录访问其他应用程序。
Using the facebook API it is solved this way: 使用facebook API可以通过以下方式解决:
- You ask for the token using your FACEBOOK_APP_ID (Facebook SDK validates the app signature) 您使用FACEBOOK_APP_ID要求令牌(Facebook SDK会验证应用签名)
- The user logs in and you get the access_token and send it to the server 用户登录后,您将获得access_token并将其发送到服务器
- The server retrieves the USER_ID calling to https://graph.facebook.com/me?access_token=XXXXX 服务器检索调用https://graph.facebook.com/me?access_token=XXXXX的USER_ID
- Then the server calls to https://graph.facebook.com/USER_ID?access_token=FACEBOOK_APP_ID|FACEBOOK_SECRET 然后服务器调用https://graph.facebook.com/USER_ID?access_token=FACEBOOK_APP_ID|FACEBOOK_SECRET
- At this point if the token was not retrieved with your a FACEBOOK_APP_ID (the secret will not match) and you will receive a
Invalid OAuth access token signature此时,如果未使用您的FACEBOOK_APP_ID检索令牌(机密将不匹配),您将收到Invalid OAuth access token signature
3 个解决方案
解决方案1
1 2013-05-03 10:25:59
I know this doesn't really answer your question but I'd like to offer an alternate tutorial/example on how to log in using a Google Account. 我知道这并不能真正回答您的问题,但是我想提供一个有关如何使用Google帐户登录的替代教程/示例。 I would recommend that you take a look at this post regarding how to verify backend calls using the Google Play services and oAuth2. 我建议您阅读这篇文章, 了解如何使用Google Play服务和oAuth2 验证后端调用 。 We implemented this a few weeks ago and it was dead easy. 我们在几周前实施了此操作,这非常容易。 Using this technique there's no way anyone can spoof an access token. 使用这种技术,任何人都无法欺骗访问令牌。
解决方案2
1 2013-05-07 20:40:15
The only way someone can spoof is by man-in-middle and DNS attack. 有人可以欺骗的唯一方法是中间人攻击和DNS攻击。 Unless you are expecting extreme breaches, don't even bother. 除非您预计会出现严重违规行为,否则请不要理会。 It's too difficult to beat OAuth providers (Identity management their job !) if you follow simple security measures. 如果您遵循简单的安全措施,那么就很难击败OAuth提供者(身份管理他们的工作!)。 As britzl said, follow the tutorial and your code is done. 正如britzl所说,请按照本教程进行操作,然后完成代码。
解决方案3
1 已采纳 2013-05-08 08:29:59
The tokeninfo endpoint is most probably validating the token for you. tokeninfo端点很可能正在为您验证令牌。 As long as you are using HTTPS to communicate with it, you are probably safe. 只要您使用HTTPS与之通信,就可能很安全。 You can also unpack and parse the token yourself, there are libraries for this, but it's quite easy actually. 您也可以自己解压缩和解析令牌,虽然有一些库,但这实际上很容易。 See here form some details . 见这里表格一些细节 。 You should really look at the verify backend calls link suggested above, it's more powerful and lets you verify not only the user, but that the request is coming from your own app (there are ways to fool it on a rooted device though). 您应该真正看一下上面建议的“验证后端调用”链接,它功能更强大,不仅可以验证用户,而且可以验证请求是否来自您自己的应用程序(尽管有多种方法可将其愚弄到已植根的设备上)。
For edited question: 对于已编辑的问题:
The token is signed, so you can validate it. 令牌已签名,因此您可以对其进行验证。 If validation fails, the token has been tampered with and you should not trust it (the Google tokeninfo endpoint does that). 如果验证失败,则表明令牌已被篡改,您不应信任它(Google tokeninfo端点tokeninfo )。 It also has a validity time, so you can check if it is expired. 它也有一个有效时间,因此您可以检查它是否过期。 Thus if someone gets access to a token and sends it to your service (replay), they can only use it for a limited time (typically 30-60 mins). 因此,如果有人可以访问令牌并将其发送到您的服务(重播),则他们只能在有限的时间(通常为30至60分钟)内使用令牌。 If you use the backend validation technique, it also makes sure that token comes from your app and not Virus X by validating your package name and signing certificate hash, which you have to register in advance. 如果您使用后端验证技术,则还可以通过验证程序包名称和签署证书哈希来确保令牌来自您的应用程序而不是病毒X,您必须提前注册。 Do read how it works and use it instead of 'raw' profile tokens. 请阅读它的工作原理,并使用它代替“原始”配置文件令牌。
Generally, with a bearer type token is like a cookie -- if you have it, there is no way to distinguish between the original owner and someone who stole it. 通常,带有承载类型的令牌就像Cookie一样-如果您拥有令牌,则无法区分原始所有者和偷窃者。 The mitigating factor is that the token can be revoked and it has a limited validity time. 缓解因素是令牌可以被吊销并且其有效时间有限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.