堆栈内存溢出
  简体   繁体   English

在不同域之间共享令牌

[英]Share token between different domains

 原文  2021-03-24 21:49:10       javascript/ html/ web/ zendesk/ zendesk-api

问题描述

I'm looking a way to securely share a token between one webapp with the front-end of a second webapp.我正在寻找一种在一个 webapp 与第二个 webapp 的前端之间安全地共享令牌的方法。

Environment details:环境细节:

  • webapp.local : A PHP webapp that stories some data that are restricted to specific users. webapp.local :一个 PHP webapp,它讲述了一些仅限特定用户使用的数据。 This webapp is accessible by VPN only.此 webapp 只能通过 VPN 访问。
  • otherwebapp.example : This is a Zendesk instance, it allows us to create a plugin (HTML + JavaScript) that is loaded on the client-side. otherwebapp.example :这是一个 Zendesk 实例,它允许我们创建一个加载在客户端的插件(HTML + JavaScript)。

Notes:笔记:

  • webapp.local and otherwebapp.example use different domains (they aren't sub-domain). webapp.localotherwebapp.example使用不同的域(它们不是子域)。
  • otherwebapp.example is not able to access the webapp.local . otherwebapp.example无法访问webapp.local But the front-end will be able (the user are connected to the VPN).但前端将能够(用户连接到VPN)。

I did some research, and found some options:我做了一些研究,并找到了一些选择:

  • HTTP Coockies : the "SameSite" need to be "None" ( reference ), is it a secure option? HTTP Coockies :“SameSite”需要为“None”(参考),这是一个安全的选项吗? I did some tests and seems that they need to be on the same sub-domain.我做了一些测试,似乎它们需要在同一个子域上。
  • JS postMessage : It will need to open a popup or a iframe, I did some tests but still trying to make it works. JS postMessage :它需要打开一个弹出窗口或一个 iframe,我做了一些测试,但仍然试图让它工作。

The question is: Is there a best practice or another way to share a sensitive data (token) between a webapp and a front-end located on other domain/app?问题是:是否有最佳实践或其他方式在 web 应用程序和位于其他域/应用程序上的前端之间共享敏感数据(令牌)?

1 个解决方案

解决方案1
 0  2021-03-24 22:06:16

I think there is not a fully secure way to do it because you want to handle the share on the client side and that will be always exposed, though you can take a different approach like share a request token via GET param to the second webapp and there call a validation API that validates the origin of the request (should be restricted to the second webapp domain) and also validate the passed token and then return the actual session token.我认为没有一种完全安全的方法可以做到这一点,因为您想在客户端处理共享并且始终会公开,尽管您可以采取不同的方法,例如通过 GET 参数将请求令牌共享到第二个 webapp 和调用一个验证 API 来验证请求的来源(应该限制在第二个 webapp 域),并验证传递的令牌,然后返回实际的 session 令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在不同域之间共享数据 - share data between different domains 在(角度 6)中的不同域之间共享 LocalStorage/SessionStorage - Share LocalStorage/SessionStorage between different domains in (angular 6) 在部署在不同域上的两个纯客户端 JS 应用程序之间共享本地 blob 数据 - Share local blob data between two client-only JS applications deployed on different domains 在不同域上的用户脚本之间传输数据 - Transferring data between userscripts on different domains 客户端和服务器在不同域上的安全连接 - Secure connection between client and server on different domains 如何在 Firebase 和服务器之间共享令牌? - How to share token between Firebase and server? 与其他域共享cookie - Share cookies with other domains 不同子域之间的 SSO/身份验证(使用 PHP)? - SSO/Auth between different sub-domains (w/ PHP)? Mozilla插件开发-在具有不同域的Windows之间进行通信 - Mozilla Addon Development - Communicating between windows with different domains 如何通过javascript在两个不同的域之间进行通信 - How to communicate between two different domains through javascript
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM