[英]What is the purpose of oauth-token of Ruby on Rails gem omniauth-facebook?
I'm using has_secure_password
and bcrypt
for authentication, but not deivse
. 我正在使用has_secure_password
和bcrypt
进行身份验证,但没有使用deivse
。 I basically refer Railscasts and pass in all the data such as provider/uid/info.name/credentials.token
. 我基本上是参考Railscasts并传递所有数据,例如provider/uid/info.name/credentials.token
。 Since my User model validates password
, so I try to pass in the oauth-token
as password
so I can put this user in my db. 由于我的用户模型验证password
,因此我尝试将oauth-token
作为password
传递,以便将该用户放入数据库中。 My question is, is there any security risk for treating oauth-token
as password? 我的问题是,将oauth-token
用作密码是否存在安全风险? What is the original purpose for oauth-token
? oauth-token
的最初目的是什么? Thank you. 谢谢。
I don't even really know where to start... It's unclear if you are trying to implement FB Connect, and doing it wrong or trying to implement user authentication, and doing it wrong by using OAuth related stuff. 我什至不知道从哪里开始...尚不清楚您是要实现FB Connect,是做错了还是尝试实现用户身份验证,并通过使用与OAuth相关的东西来做错。
OAuth tokens are used to authenticate yourself against a third party, in order to access their API for example. OAuth令牌用于针对第三方进行身份验证,例如以访问其API。 So in case of Facebook Connect you would have the user authorize themselves and then get an OAuth token for them, so you can access the third party in their behalf. 因此,在使用Facebook Connect的情况下,您需要让用户授权自己,然后为他们获取OAuth令牌,以便您可以代表他们访问第三方。 I suggest reading up on OAuth resources for this. 我建议为此阅读OAuth资源。
Either way using an OAuth token for whatever password is wrong. 无论哪种密码错误,都可以使用OAuth令牌进行。 OAuth tokens are not permanent, they expire and they can be revoked and regenerated. OAuth令牌不是永久性的,它们会过期并且可以被吊销和重新生成。 Meaning in your case the password would change in all of those cases. 这意味着在所有情况下,密码都会更改。 If you are just implementing OAuth connect, you don't need any kind of passwords for the user at all. 如果您只是实现OAuth connect,则根本不需要用户使用任何类型的密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.