在移动应用程序上注册帐户
[英]Account registration on mobile application
问题描述
I'm working on a hybrid mobile application for both android / iOS, which mainly send requests to a restful server using an access token for authentication / authorization. 
我正在为Android / iOS开发混合移动应用程序,该应用程序主要使用访问令牌进行身份验证/授权将请求发送到宁静的服务器。
However, not sure how to implement the account creation part, would it be ok to allow a POST request with an email address / password to register a user? 但是,不确定如何实现帐户创建部分,是否可以允许带有电子邮件地址/密码的POST请求注册用户? Something like POST /signup (Of course using https, email verification etc). 类似于POST /signup (当然使用https,电子邮件验证等)。
Or is there a better alternative? 还是有更好的选择?
1 个解决方案
解决方案1
1 已采纳 2015-08-05 23:05:11
This is essentially how classic signup works on most mobile apps. 本质上,这就是大多数移动应用程序上经典注册的工作方式。 POST email/password to a signup URL and receive an access token in the response. 将电子邮件/密码发布到注册URL,并在响应中接收访问令牌。
If you want to get fancy, you can incorporate a secret app token so the request can be signed, and the server can theoretically guarantee the request came from your own app and no-one else's. 如果您想花哨的话,可以合并一个秘密的应用程序令牌,以便可以对请求进行签名,并且服务器可以从理论上保证该请求来自您自己的应用程序,而不是其他应用程序。 The problem though is a "secret" in the client is not really a secret, anyone has access to the compiled code and the requests being made. 问题是,客户端中的“秘密”并不是真正的秘密,任何人都可以访问编译后的代码并发出请求。 (Twitter, for example, has encountered this problem .) (例如,Twitter 遇到此问题 。)
There's also single-sign on via Twitter, Google, Facebook, etc. in which case you can just upload the access token after user authenticates on the device. 还可以通过Twitter,Google,Facebook等进行单点登录。在这种情况下,您只需在用户在设备上进行身份验证后就可以上传访问令牌。 Some apps also request a phone number instead of email, and then verify by SMS (which is automatic if the app can read SMS), eg WhatsApp. 某些应用程序还要求提供电话号码而不是电子邮件,然后通过SMS验证(如果应用程序可以读取SMS,则自动验证),例如WhatsApp。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.