堆栈内存溢出
  简体   繁体   English

适用于MVC的OAuth 2.0-RequestToken如何工作?

[英]OAuth 2.0 for MVC - How does the RequestToken work?

 原文  2012-11-02 18:13:55       asp.net-mvc/ oauth-2.0

问题描述

I'm working with OAuth 2.0 for MVC, found here: http://community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged-implementation.aspx 我正在使用OAuth 2.0 for MVC,可在以下位置找到: http : //community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged -implementation.aspx

For anyone who's worked with this - I'm confused about the RequestToken. 对于使用此工具的任何人-我对RequestToken感到困惑。 There is a controller implemented that lets you get a request token, which expires in 5 minutes, and you pass that token back in to get an AccessToken. 有一个实现的控制器,它使您可以获取请求令牌,该令牌将在5分钟后过期,然后将其传递回以获取AccessToken。 But it never checks the request token for validity - it seems like you can pass in any access token you want to. 但是它从不检查请求令牌的有效性-好像您可以传递想要的任何访问令牌。 What is the idea for the RequestToken here - are you supposed to create your own method of storing, referencing, and then deleting that token for those 5 minutes? 这里对RequestToken的想法是-您是否应该创建自己的方法来存储,引用和删除那5分钟的令牌?

Thanks, Andy 谢谢,安迪

1 个解决方案

解决方案1
 1  2012-11-02 18:46:11

This is all about how OAuth works in conjunction with your application Id, application secret key and valid domains for your application. 这就是OAuth如何与您的应用程序ID,应用程序密钥和应用程序的有效域结合使用的方式。 Here is the process in general 这是一般的过程

  1. Your application sends a request to the OAuth provider using your application Id and secret along with a callback (return Url). 您的应用程序使用您的应用程序ID和密码以及回调(返回网址)向OAuth提供程序发送请求。

  2. The OAuth provider gets the request, checks your application Id and secret and validates that the callback url is from a domain that you have specified for your application. OAuth提供程序获取请求,检查您的应用程序ID和机密,并验证回调URL来自您为应用程序指定的域。

    2a. 2a。 If the callback url is not from a domain that you have specified, then the request is rejected with error. 如果回调URL并非来自您指定的域,则该请求将被拒绝,并出现错误。

    2b If the callback url is from your domain, it returns a temporary request key to your server. 2b如果回调URL来自您的域,则它将临时请求密钥返回到您的服务器。

  3. Given that you received a request key, you send that back to the OAuth provider to get the actual access token for the user. 收到请求密钥后,您可以将其发送回OAuth提供程序以获取用户的实际访问令牌。

Now, as to why the request key step is in place, this is to prevent and help protect 'bad people' from attempting to use your application id to falsely authenticate other users. 现在,关于为何设置请求关键步骤的原因是,这是为了防止和帮助保护“坏人”免于尝试使用您的应用程序ID来对其他用户进行虚假身份验证。 By sending the request token to you (a callback URL that you have approved), the OAuth provider has confidence that the request actually came from your servers. 通过向您发送请求令牌(您已批准的回调URL),OAuth提供者可以确信请求实际上来自您的服务器。

You most certainly could send any string back instead of the request token, but you would quickly get an error back from the OAuth provider as that request token does not correspond to any existing authentication request from any known application. 您当然可以发回任何字符串来代替请求令牌,但是您会很快从OAuth提供者那里得到一个错误,因为该请求令牌与来自任何已知应用程序的任何现有身份验证请求都不对应。

Lastly, I am not clear on what you mean by 'validating the request token'? 最后,我不清楚您所说的“验证请求令牌”是什么意思? You did not generate the token not probably do not have insight into the algorithm to generate the request token. 您没有生成令牌,可能没有深入了解生成请求令牌的算法。 Given that, I am not sure how you would validate this. 鉴于此,我不确定您将如何验证这一点。 If you are concerned about validating the first step, take a look at the Facebook OAuth process. 如果您担心验证第一步,请查看Facebook OAuth流程。 In there, they recommend sending a request key as part of your return Url(as a query string parameter). 在此,他们建议发送请求密钥作为您的返回Url的一部分(作为查询字符串参数)。 That request key will come back to your application which you could then use as a validation that, indeed, this is a response to a request that you made. 该请求密钥将返回到您的应用程序,然后您可以将其用作验证,这实际上是对您提出的请求的响应。 How you store and track that request key is up to you (session, database). 如何存储和跟踪请求密钥取决于您(会话,数据库)。 In the PHP samples, they use a 'state' variable to track a unique/arbitrary string: Facebook OAuth Server Side Login Example (in PHP) 在PHP示例中,它们使用“状态”变量来跟踪唯一/任意字符串: Facebook OAuth服务器端登录示例(在PHP中)

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 MVC5使用哪个OAuth 2.0身份验证流程? - Which OAuth 2.0 Authentication Flow does the MVC5 use? 如何设置 MVC 请求以使用 Oauth 2.0 访问令牌? - How to setup MVC requests to use Oauth 2.0 access token? OAuth和OWIN在MVC5中如何工作? - How does OAuth with OWIN works in MVC5? MVC 2.0模型绑定是否适用于Ajax请求? - Does MVC 2.0 model binding work with Ajax requests? MVC ViewData如何工作? - How does MVC ViewData work? ViewModel如何在MVC中工作 - How does ViewModel work in MVC oAuth.RequestToken(code)的返回值为null始终在InstaSharp中 - Return Value of oAuth.RequestToken(code) is null Always in InstaSharp 如何使用ASP.NET MVC和ODBC 2.0 - How to work with ASP.NET MVC and ODBC 2.0 MVC 2 UpdateModel - 它是如何工作的? - MVC 2 UpdateModel - how does it work? 如何配置IIS7以使用MVC 2.0 Framework 4.0应用程序 - How to configure IIS7 to work with an MVC 2.0 Framework 4.0 application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM