简体繁体 English

适用于应用的 Android SSO（单点登录）

[英]Android SSO (Single sign-on) for app

原文 2010-08-27 19:10:40 1 3 android/ single-sign-on

Is there any free single-signon mechanism for Android that gracefully works with non-webapps?是否有任何免费的 Android 单点登录机制可以优雅地与非 web 应用程序一起使用？ Say, something along the lines of...说，类似的东西...

You launch my app and use it until it makes a request from the app server that requires authentication.您启动我的应用程序并使用它，直到它从需要身份验证的应用程序服务器发出请求。 It responds to that request with a random token that the server will associate with you for a short time.它使用服务器将在短时间内与您关联的随机令牌响应该请求。
The app presents you with a username field, a password field, and a submit button.该应用程序为您提供了一个用户名字段、一个密码字段和一个提交按钮。
You enter your username and password.您输入您的用户名和密码。 The app then forwards your username and hashed password, along with the token generated by the app server, to the login service.然后，应用程序将您的用户名和哈希密码以及应用程序服务器生成的令牌转发到登录服务。
The login service determines whether or not your username and password are valid.登录服务确定您的用户名和密码是否有效。 If they are, it digitally timestamps and signs the token, and returns the signed token to the app.如果是，它会对令牌进行数字时间戳和签名，并将签名的令牌返回给应用程序。
The app relays the signed token to the server.该应用程序将签名的令牌中继到服务器。
The server checks the signature, satisfies itself that it's valid and signed by an authority it trusts, and proceeds as though the user had presented IT with a valid local username and password instead.服务器检查签名，确定它是有效的并由它信任的机构签名，然后继续进行，就好像用户向 IT 提供了一个有效的本地用户名和密码一样。

I suspect I'm just getting lost in nomenclature, but the impression I've gotten so far is that all the usual SSO providers -- Twitter, Facebook, etc -- only allow users to log in using a normal browser, and that you're either not allowed to do what I described, or they do something to make it effectively impossible with anything besides a normal browser (like dynamically creating the login form via Javascript in an effort to prevent developers from trying to use their own apps as a login facade).我怀疑我只是迷失在命名法上，但到目前为止我得到的印象是所有常见的 SSO 提供商——Twitter、Facebook 等——只允许用户使用普通浏览器登录，而你'要么不允许做我所描述的事情，要么他们做了一些事情，使除了普通浏览器之外的任何东西都无法使用（比如通过 Javascript 动态创建登录表单，以防止开发人员试图将他们自己的应用程序用作登录门面）。

Alternatively, does there exist any workflow like THIS...或者，是否存在任何像这样的工作流程......

You launch my app and use it until the web service requires you to log in. The app server generates a token and returns it to the app.您启动我的应用程序并使用它，直到 Web 服务要求您登录。应用程序服务器生成一个令牌并将其返回给应用程序。
The app spawns a new browser via intent that sends you to the login provider's web site, passing the token via intent to the browser (and ultimately the provider) as a POSTed formvar.该应用程序通过 Intent 生成一个新浏览器，该浏览器将您发送到登录提供程序的网站，通过 Intent 将令牌作为 POSTed formvar 传递给浏览器（最终是提供程序）。
You log in using the browser window, and the browser window closes -- returning you to my app.您使用浏览器窗口登录，然后浏览器窗口关闭 - 将您返回到我的应用程序。
The login provider signs the token, then sends it directly to my app server via HTTP POST so I can note its submission, verify the cert, and treat it as though it were instead a valid username and password submitted directly by the user to the app server himself.登录提供商对令牌进行签名，然后通过 HTTP POST 将其直接发送到我的应用服务器，这样我就可以记录其提交、验证证书并将其视为用户直接提交给应用的有效用户名和密码服务器自己。

3 个解决方案

Have you tried or think of using Firebase?您是否尝试或考虑过使用 Firebase？ https://firebase.google.com/docs/auth/?hl=es-419 https://firebase.google.com/docs/auth/?hl=es-419

It has some useful tools, you can sign-in with multiple social connectors and user/password as well, and they provide a library to integrate the whole UI and server flow, they even take advantage of google smart lock for you.它有一些有用的工具，你可以使用多个社交连接器和用户/密码登录，它们提供了一个库来集成整个 UI 和服务器流程，它们甚至为你利用了谷歌智能锁。

Take a look at https://github.com/firebase/FirebaseUI-Android I used it in a personal project and saved me a lot of time.看看https://github.com/firebase/FirebaseUI-Android我在个人项目中使用它，为我节省了很多时间。

What you described in Alternatively section looks like Authorization Code using Proof Key for Code Exchange (PKCE) OAuth 2.0 grant您在Alternatively部分中描述的内容类似于使用证明密钥进行代码交换 (PKCE) OAuth 2.0 授权的授权代码

https://www.rfc-editor.org/rfc/rfc7636 https://www.rfc-editor.org/rfc/rfc7636

The flow is the following:流程如下：

Your app generates a random key ( code_verifier ) and it's transformed value ( code_challenge ) and navigates to authorization server with code_challenge as a parameter您的应用会生成一个随机密钥 ( code_verifier ) 和它的转换值 ( code_challenge ) 并使用code_challenge作为参数导航到授权服务器
Authorization server redirects back to your app with authorization code授权服务器使用授权码重定向回您的应用
Your app sends authorization_code and the code_verifier to the auth server to get the authorization token您的应用程序将 authentication_code 和code_verifier发送到身份验证服务器以获取authorization_code令牌
Server uses authorization_code and the code_verifier (it already has code_challenge , so it can verify that code_verifier is correct) and then returns to your app with the token.服务器使用code_verifier authorization_code它已经有code_challenge ，因此它可以验证code_verifier是否正确），然后使用令牌返回您的应用程序。

On the practical side of it you can use something like Auth0 to implement it in your app.在它的实际方面，您可以使用 Auth0 之类的东西在您的应用程序中实现它。

Use Android Account Manager for SSO.使用Android 帐户管理器进行 SSO。

Providing references below just for knowledge.在下面提供参考仅供参考。 You have to dig into account manager.您必须深入了解客户经理。
Android developer: https://developer.android.com/training/id-auth安卓开发者： https ://developer.android.com/training/id-auth
Blog with example: https://www.zoftino.com/android-account-manager-&-create-custom-account-type博客示例： https ://www.zoftino.com/android-account-manager-&-create-custom-account-type