What is the purpose of oauth-token of Ruby on Rails gem omniauth-facebook?
Question
I'm using has_secure_password and bcrypt for authentication, but not deivse . I basically refer Railscasts and pass in all the data such as provider/uid/info.name/credentials.token . Since my User model validates password , so I try to pass in the oauth-token as password so I can put this user in my db. My question is, is there any security risk for treating oauth-token as password? What is the original purpose for oauth-token ? Thank you.
1 answers
solution1
0 ACCPTED 2014-01-24 05:25:59
I don't even really know where to start... It's unclear if you are trying to implement FB Connect, and doing it wrong or trying to implement user authentication, and doing it wrong by using OAuth related stuff.
OAuth tokens are used to authenticate yourself against a third party, in order to access their API for example. So in case of Facebook Connect you would have the user authorize themselves and then get an OAuth token for them, so you can access the third party in their behalf. I suggest reading up on OAuth resources for this.
Either way using an OAuth token for whatever password is wrong. OAuth tokens are not permanent, they expire and they can be revoked and regenerated. Meaning in your case the password would change in all of those cases. If you are just implementing OAuth connect, you don't need any kind of passwords for the user at all.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.