使用webapp2会话进行Google Cloud Endpoints身份验证
[英]Google Cloud Endpoints authentication using webapp2 sessions
问题描述
The client of my Google Cloud Endpoints API is an JavaScript (AngularJS) web application hosted on the same Google App Engine application as the Endpoints API itself. 
我的Google Cloud Endpoints API的客户端是一个JavaScript(AngularJS)Web应用程序,托管在与Endpoints API本身相同的Google App Engine应用程序上。 My users authenticate using webapp2 sessions (datastore). 我的用户使用webapp2会话 (数据存储区)进行身份验证。 They don't necessarily have a Google account. 他们不一定拥有Google帐户。 I want to be able to do a request to the Endpoints API like /api/users/me which would return the user data of the user who is currently logged in. 我希望能够像/api/users/me那样向Endpoints API发出请求,这将返回当前登录用户的用户数据。
First I thought I had to implement a OAuth2 provider for my App Engine application, and then let the AngularJS application request a OAuth2 access token from my own App Engine OAuth provider (instead of the OAuth provider of Google, like the built in authentication mechanism does). 首先,我认为我必须为我的App Engine应用程序实现OAuth2提供程序,然后让AngularJS应用程序从我自己的App Engine OAuth提供程序(而不是Google的OAuth提供程序)请求OAuth2访问令牌,就像内置的身份验证机制一样)。
However, this comment suggests not implementing my own OAuth2 provider but instead providing arbitrary parameters in my request (in a message field, or in a HTTP header) to the Endpoints API. 但是, 此评论建议不要实现我自己的OAuth2提供程序,而是在我的请求中(在消息字段中或在HTTP标头中)向Endpoints API提供任意参数。 I guess that parameter should be a user token (some encrypted value unique to the logged in user?). 我猜这个参数应该是一个用户令牌(登录用户特有的一些加密值?)。 That value should then be passed to the browser. 然后应将该值传递给浏览器。 Isn't that insecure? 那不安全吗? I would like not to serve my AngularJS application on HTTPS if possible (to save costs). 如果可能,我不想在HTTPS上提供我的AngularJS应用程序(以节省成本)。
Is this a good use case for OAuth2? 这是OAuth2的一个很好的用例吗? Or is OAuth2 only for granting third party applications access to user data? 或者OAuth2仅用于授予第三方应用程序访问用户数据的权限?
In case OAuth2 is not the way to go: how to pass a user token securily to the browser and prevent man-in-the-middle attacks? 如果OAuth2不是这样的话:如何将用户令牌安全地传递给浏览器并防止中间人攻击? Should the user token expire after a certain amount of time? 用户令牌是否应在一定时间后过期?
1 个解决方案
解决方案1
1 2014-08-21 22:35:19
I've just finished implementing exactly what you've described. 我刚刚完成了你所描述的内容。 Basically this method does the trick: 基本上这种方法可以解决问题:
def get_current_session(request_state):
cookies = werkzeug.http.parse_cookie(request_state.headers.get('Cookie'))
sess_cookie = cookies.get('mc_session')
parts = sess_cookie.split('|')
if len(parts) != 3:
logging.error('Cookie does not have 3 parts')
return False
signature = hmac.new(COOKIE_SECRET_KEY, digestmod=hashlib.sha1)
signature.update('|'.join(parts))
sig_hex = signature.hexdigest()
if compare_hashes(sig_hex, parts[2]):
logging.error('Cookie signature mismatch!')
return False
cookie_data = webapp2_extras.json.b64decode(parts[0])
return sessions_ndb.Session.get_by_sid(cookie_data['_sid'])
And you'd call that from your API method using: 你可以使用以下方法从API方法中调用它:
session = get_current_session(self.request_state)
You can find all the details at: https://blog.artooro.com/2014/08/21/share-sessions-between-google-cloud-endpoints-and-webapp2/ 您可以在以下网址找到所有详细信息: https : //blog.artooro.com/2014/08/21/share-sessions-between-google-cloud-endpoints-and-webapp2/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.