堆栈内存溢出
  简体   繁体   English

如何为Firebase身份验证创建新的联合身份提供程序

[英]How should I create a new Federated Identity Provider for Firebase Authentication

 原文  2017-11-21 14:40:15       java/ android/ node.js/ paypal/ firebase-authentication

问题描述

I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. 我想将PayPal登录集成到Android应用中,以便对Firebase数据库进行身份验证。 I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. 我已经设法在node.js服务器上创建了一个自定义函数,该函数从提供的uid创建令牌,以便在客户端应用程序中使用“ signal withcustomtoken”功能。 Should I send the uid to the nodejs server through https in order to get the token? 是否应该通过https将uid发送到nodejs服务器以获得令牌? Is there a better way? 有没有更好的办法?

1 个解决方案

解决方案1
 0 已采纳  2017-11-22 08:27:51

Don't create an HTTP endpoint that accepts a uid and returns a custom token. 不要创建接受uid并返回自定义令牌的HTTP端点。 This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid . 这是一个巨大的安全漏洞,因为任何攻击者都可以模仿任何知道其uid用户。 What you need to do is the following: 您需要执行以下操作:

  1. Implement a paypal OAuth code flow. 实施Paypal OAuth代码流程。 You can use third party libraries for that. 您可以使用第三方库。
  2. When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. 当您获得贝宝OAuth授权代码时,会将其发送到后端,您使用贝宝客户端ID和密码来交换贝宝刷新令牌和访问令牌。 You can then get the user info associated with that paypal user including their paypal uid. 然后,您可以获得与该贝宝用户相关联的用户信息,包括其贝宝uid。 You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client. 然后,您将使用Firebase Admin SDK创建一个Firebase自定义令牌,并将其返回给客户端。
  3. On the client you would signInWithCustomToken to complete sign in with that custom token. 在客户端上,您需要signInWithCustomToken来完成使用该自定义令牌的登录。

In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token. 在这种情况下,您将公开一个HTTP终结点,该终结点采用授权代码并返回Firebase自定义令牌。

This is the basic idea (details excluded). 这是基本思想(不包括细节)。 Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. 当然,您仍然必须通过传递某种状态来确保流在同一设备上开始和结束,然后检查是否最终将其取回。 You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there. 您还必须确保使用诸如应用程序链接等之类的东西将身份验证代码返回到正确的应用程序。Firebase动态链接在那里可能会有所帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我应该如何处理Firebase后端身份验证 - How should I handle Firebase backend authentication 如何在不登录Android应用程序的情况下获取Firebase身份验证的提供程序 - How to get the provider of firebase authentication without signing in in android application 我应该如何创建这个新页面? JSP还是servlet? - How should I create this new page? JSP or servlet? 联合身份管理 - Federated Identity Management 如何使用firebase身份验证创建用户名,地址和详细信息 - how to create username , address and details with firebase authentication App Engine Java - 目前使用联合登录/ Openid - 我应该如何坚持成功通过身份验证的Facebook用户? - App Engine Java - Currently Using Federated Login/Openid - How Should I Persist a Successfully Authenticated Facebook User? 如何保护具有身份提供者的 Spring Boot 微服务以无状态方式进行身份验证? - How to secure spring boot microservices having identity provider for authentication in a stateless manner? 创建自定义身份提供者并使用 keycloak 对其进行配置 - Create a custom identity provider and configure it with keycloak 我应该保持连接还是应该每次都创建新连接? - Should I hold connections or should I create new connections everytime? 我应该何时创建新活动? - When should I create a new activity?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM