实现自动登录第三方网站
[英]Implementing automatic login to 3rd party website
问题描述
My node-based web service links to a external 3rd party site that requires a username/password which we also have (but not the same as the login ofr our webservice). 
我的基于节点的Web服务链接到外部第三方站点,该站点需要我们也拥有的用户名/密码(但与我们的webservice的登录名不同)。 To provide a seamless user experience, when the user clicks the link to the 3rd party site, I would like to automatically log them in with the username/password, and take them straight to the external page's dashboard. 为了提供无缝的用户体验,当用户点击第三方网站的链接时,我想使用用户名/密码自动登录,并将它们直接带到外部页面的仪表板。
At the very least, I would like to pre-populate the 3rd party login form with this information, but this post detailing a similar situation doesn't make me optimistic. 至少,我想用这些信息预先填写第三方登录表单,但这篇详细说明类似情况的帖子并不能让我乐观。
I do not believe the 3rd party site supports OAuth or existing SSO protocols. 我不相信第三方网站支持OAuth或现有的SSO协议。 I cannot use an iFrame. 我不能使用iFrame。 One viable option seems to be using some kind of proxy , or using requests (or tokens?) to the 3rd party site. 一个可行的选择似乎是使用某种代理 ,或使用请求(或令牌?)到第三方网站。
Knowing that I have no control over the 3rd party login, what are some high-level options for how to accomplish this end goal? 知道我无法控制第三方登录,有哪些高级选项可以实现这个最终目标? What are some things I need to be wary of when choosing a solution? 在选择解决方案时,我需要注意哪些事项?
1 个解决方案
解决方案1
2 已采纳 2015-07-08 01:22:18
The short answer is that you cannot accomplish this if the foreign site uses CSRF protection on the form, or doesn't allow querystring parameters for form inputs. 简短的回答是,如果外部站点在表单上使用CSRF保护,或者不允许表单输入的查询字符串参数,则无法完成此操作。
Here's what you can try: 这是你可以尝试的:
- Try redirecting the user to https://website.com/login?username=xxx&password=xxx 尝试将用户重定向到https://website.com/login?username=xxx&password=xxx
- If that works, you're good to go. 如果可行的话,你很高兴。 If not, there's likely not a way to make this work in browser. 如果没有,可能无法在浏览器中实现此功能。
Inspect the source code of the login page, and use the HTML input name tag values in your querystring for the redirect. 检查登录页面的源代码,并使用查询字符串中的HTML输入名称标记值进行重定向。 So if the form has username and password input fields, you'd use those two names. 因此,如果表单具有用户名和密码输入字段,则使用这两个名称。
Now -- please keep in mind that what you're attempting to do is generally NOT a good idea. 现在 - 请记住,你试图做的事情通常不是一个好主意。
Storing a user's credentials for another website is a HUGE security risk, and really not a good idea. 为另一个网站存储用户的凭据是一个巨大的安全风险,并不是一个好主意。 If the site / service doesn't offer SSO / Oauth, this is likely going to be a problem for you in the future. 如果站点/服务不提供SSO / Oauth,这可能会在将来成为您的问题。
Among other things, here are some of the bad things that can happen: 除其他外,这里有一些可能发生的坏事:
- Someone gets a hold of the domain and captures all requests with the username/password. 有人获取域并使用用户名/密码捕获所有请求。
- The user's computer has been hijacked or man-in-the-middled such that when you redirect the user to this website, a third party captures the username/password info. 用户的计算机已被劫持或处于中间位置,因此当您将用户重定向到此网站时,第三方会捕获用户名/密码信息。
- The website changes their login form, and you end up sending credentials to another place on accident. 该网站更改了他们的登录表单,并最终在事故发生时将凭据发送到另一个地方。
- The website logs their incoming GET requests, and now has a bunch of credentials stored in plain text on their web servers (if these logs get out, that's bad). 该网站记录了他们传入的GET请求,现在在他们的Web服务器上有一堆以明文形式存储的凭据(如果这些日志出来,那就不好了)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.