简体繁体 English

非SSL网站的OAuth1或OAuth2？

[英]OAuth1 or OAuth2 for a non SSL website?

原文 2013-01-31 13:10:56 6 3 php/ codeigniter/ ssl/ oauth/ oauth-2.0

I want to implement OAuth server on my PHP server, which dosent have a SSL connection. 我想在我的PHP服务器上实现OAuth服务器，该服务器具有SSL连接。 There's no decent OAuth 2 framework for PHP-codeigniter yet. PHP-codeigniter还没有像样的OAuth 2框架。 So which one should I use OAuth1 or OAuth2 ? 那么我应该使用OAuth1还是OAuth2？

3 个解决方案

The short answer is: you should consider using OAuth 1.0a [1] rather than OAuth 2.0 简短的回答是：您应该考虑使用OAuth 1.0a [1]而不是OAuth 2.0

The long answer is below: 答案如下：

OAuth 2.0 by default requires the use of SSL/TLS for transport layer security. 默认情况下，OAuth 2.0要求使用SSL / TLS进行传输层安全性。 Therefore, when implementing an OAuth 2.0 compliant Authorization Server, you need to allow client applications to connect to the Authorization Endpoint as well as Token Endpoint over a secure channel. 因此，在实施符合OAuth 2.0的授权服务器时，您需要允许客户端应用程序通过安全通道连接到授权端点和令牌端点。 See the following sections in the OAuth 2.0 specification [2]: 请参阅OAuth 2.0规范[2]中的以下部分：

3.1 (Authorization Endpoint) 3.1（授权端点）

"[...] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint." “[...]授权服务器必须要求在向授权终端发送请求时使用第1.6节中所述的TLS。”

3.2 (Token Endpoint) 3.2（令牌端点）

"[...] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint." “[...]授权服务器必须要求在向令牌端点发送请求时使用第1.6节中描述的TLS。”

In your case, when you do not have an SSL connection, you can still possibly consider using OAuth 2.0 and the MAC Access Authentication [3], which specifies how to make OAuth 2.0 requests by issuing MAC-type access tokens. 在您的情况下，当您没有SSL连接时，您仍然可以考虑使用OAuth 2.0和MAC访问身份验证[3]，它指定如何通过发出MAC类型访问令牌来发出OAuth 2.0请求。 Such tokens are cryptographically signed with a shared symmetric key (key is shared between the client application and the server). 这些令牌使用共享对称密钥进行加密签名（密钥在客户端应用程序和服务器之间共享）。

IMPORTANT NOTE: In such setup, however, you will still need to provide a mechanism for clients to be able to establish a shared secret with your OAuth 2.0 server in a secure way (how this is done is up to you - can be over some SSL channel or out-of-band, depending on your exact use cases). 重要说明：但是，在此类设置中，您仍然需要为客户端提供一种机制，以便能够以安全的方式与您的OAuth 2.0服务器建立共享密钥（如何完成此操作取决于您 - 可以超过某些SSL通道或带外，具体取决于您的确切用例）。 This is a strict requirement to allow clients to securely access protected resources! 这是允许客户安全访问受保护资源的严格要求！

"The MAC scheme requires the establishment of a shared symmetric key between the client and the server. This specification offers one such method for issuing a set of MAC credentials to the client using OAuth 2.0 in the form of a MAC-type access token. “MAC方案要求在客户端和服务器之间建立共享对称密钥。该规范提供了一种这样的方法，用于以MAC类型访问令牌的形式使用OAuth 2.0向客户端发布一组MAC凭证。

The primary design goal of this mechanism is to simplify and improve HTTP authentication for services that are unwilling or unable to employ TLS for every request. 此机制的主要设计目标是简化和改进对不愿意或无法为每个请求使用TLS的服务的HTTP身份验证。 In particular, this mechanism leverage an initial TLS setup phase to establish a shared secret between the client and the server. 特别是，该机制利用初始TLS设置阶段在客户端和服务器之间建立共享密钥。 The shared secret is then used over an insecure channel to provide protection against a passive network attacker." 然后在不安全的通道上使用共享密钥，以防止被动网络攻击者。“

Based on the above explanation, I would consider using OAuth 1.0a [3], which does not require the use of a transport-level security for communication between the client and Authorization Server (OAuth 1.0a uses the term "Service Provider", btw). 基于上面的解释，我会考虑使用OAuth 1.0a [3]，它不需要使用传输级安全性来进行客户端和授权服务器之间的通信（OAuth 1.0a使用术语“服务提供者”，顺便说一下）。 Instead, it relies on messages being signed using a shared symmetric key (or an RSA key). 相反，它依赖于使用共享对称密钥（或RSA密钥）签名的消息。 However. 然而。 please note that unless you use signatures using HMAC-SHA1 or RSA-SHA1 (ie you decide to use the PlAINTEXT signature type), you will need to use SSL/TLS anyway. 请注意，除非您使用HMAC-SHA1或RSA-SHA1签名（即您决定使用PlAINTEXT签名类型），否则无论如何都需要使用SSL / TLS。

[1] https://tools.ietf.org/html/rfc5849 [1] https://tools.ietf.org/html/rfc5849

[2] http://tools.ietf.org/html/rfc6749 [2] http://tools.ietf.org/html/rfc6749

[3] http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01 [3] http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01

From a client's perspective, OAuth 2 is easier to integrate into applications, among other benfits: How is OAuth 2 different from OAuth 1? 从客户的角度来看，OAuth 2更容易集成到应用程序中，以及其他好处： OAuth 2与OAuth 1有何不同？

Just integrate any external Oauth2 library with Codeigniter. 只需将任何外部Oauth2库与Codeigniter集成即可。 Here is one: https://github.com/bshaffer/oauth2-server-php 这是一个： https ： //github.com/bshaffer/oauth2-server-php

I am using OAuth2 for 2 years, and I highly recommend using it since it is very reliable. 我使用OAuth2已经2年了，我强烈推荐使用它，因为它非常可靠。 Relating to SSL, as far as I know, OAuth should be utilizing SSL to gain proper implementation, avoiding this will simply not adopting OAuth protocol. 关于SSL，据我所知，OAuth应该利用SSL来获得正确的实现，避免这样做只是不采用OAuth协议。