[英]Implementing automatic login to 3rd party website
My node-based web service links to a external 3rd party site that requires a username/password which we also have (but not the same as the login ofr our webservice). 我的基于节点的Web服务链接到外部第三方站点,该站点需要我们也拥有的用户名/密码(但与我们的webservice的登录名不同)。 To provide a seamless user experience, when the user clicks the link to the 3rd party site, I would like to automatically log them in with the username/password, and take them straight to the external page's dashboard. 为了提供无缝的用户体验,当用户点击第三方网站的链接时,我想使用用户名/密码自动登录,并将它们直接带到外部页面的仪表板。
At the very least, I would like to pre-populate the 3rd party login form with this information, but this post detailing a similar situation doesn't make me optimistic. 至少,我想用这些信息预先填写第三方登录表单,但这篇详细说明类似情况的帖子并不能让我乐观。
I do not believe the 3rd party site supports OAuth or existing SSO protocols. 我不相信第三方网站支持OAuth或现有的SSO协议。 I cannot use an iFrame. 我不能使用iFrame。 One viable option seems to be using some kind of proxy , or using requests (or tokens?) to the 3rd party site. 一个可行的选择似乎是使用某种代理 ,或使用请求(或令牌?)到第三方网站。
Knowing that I have no control over the 3rd party login, what are some high-level options for how to accomplish this end goal? 知道我无法控制第三方登录,有哪些高级选项可以实现这个最终目标? What are some things I need to be wary of when choosing a solution? 在选择解决方案时,我需要注意哪些事项?
The short answer is that you cannot accomplish this if the foreign site uses CSRF protection on the form, or doesn't allow querystring parameters for form inputs. 简短的回答是,如果外部站点在表单上使用CSRF保护,或者不允许表单输入的查询字符串参数,则无法完成此操作。
Here's what you can try: 这是你可以尝试的:
Inspect the source code of the login page, and use the HTML input name tag values in your querystring for the redirect. 检查登录页面的源代码,并使用查询字符串中的HTML输入名称标记值进行重定向。 So if the form has username and password input fields, you'd use those two names. 因此,如果表单具有用户名和密码输入字段,则使用这两个名称。
Now -- please keep in mind that what you're attempting to do is generally NOT a good idea. 现在 - 请记住,你试图做的事情通常不是一个好主意。
Storing a user's credentials for another website is a HUGE security risk, and really not a good idea. 为另一个网站存储用户的凭据是一个巨大的安全风险,并不是一个好主意。 If the site / service doesn't offer SSO / Oauth, this is likely going to be a problem for you in the future. 如果站点/服务不提供SSO / Oauth,这可能会在将来成为您的问题。
Among other things, here are some of the bad things that can happen: 除其他外,这里有一些可能发生的坏事:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.