Say I have an Android application that connects to a .Net API for receiving/setting data. The confusion that I have is regarding how to sign-up/login the user first time and authenticate it every time they make a request to the API.
假设我有一个连接到.Net API的Android应用程序,用于接收/设置数据。我遇到的困惑是关于如何在每次向API发出请求时第一次注册/登录用户并对其进行身份验证。
- If I just use username/password based authentication they won't be safe enough?
- 如果我只使用基于用户名/密码的身份验证,他们将不够安全?
- And I can't save that username/password in the device for of course security reasons?
- 当然,出于安全原因,我无法在设备中保存该用户名/密码?
- Should I issue a GUID for every user at the sign-up, save it in their device and retrieve every time during an API request?
- 我是否应该在注册时为每个用户发出GUID,将其保存在他们的设备中并在API请求期间每次检索?
What other patterns are available and which are most efficient and secure, I just need a process flow for it. Can someone tell me what method famous android applications like Facebook, FourSquare, or Twitter use to authenticate every request coming from their mobile application to their server?
还有哪些其他模式可用,哪些模式最有效和最安全,我只需要一个流程。有人能告诉我Facebook,FourSquare或Twitter等知名Android应用程序使用哪种方法来验证从移动应用程序到服务器的每个请求?
Sorry in advance if that's not some public information.
如果这不是一些公开信息,请提前抱歉。
6 个解决方案
#1
40
I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
我想他们使用的是基于“令牌”的安全系统,因此密码实际上永远不会存储在任何地方,只是在第一次使用时进行身份验证。因此,应用程序最初发布用户名/密码(通过ssl),服务器返回应用程序存储的令牌。对于后续同步尝试,首先发送令牌,服务器检查它是否有效,然后允许发布其他数据。
The token should have an expiry so the server can re-request an authentication attempt.
令牌应该到期,以便服务器可以重新请求身份验证尝试。
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
如果您从Android Framework中挂钩同步适配器,那么您将能够同步和验证所有内容。
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
If you check the accounts under Settings on your device you'll see what I mean.
如果您在设备的“设置”下查看帐户,您会看到我的意思。
#2
14
Basically these famous use OAuth protocol (1)/ framework (2). Even though it has to be a standard, each of these had different implementations of this protocol/framework. So we have to be very careful when it comes to integration.
基本上这些着名的使用OAuth协议(1)/框架(2)。即使它必须是标准,但每个都具有此协议/框架的不同实现。因此,在集成方面我们必须非常小心。
Example: Dropbox still uses OAuth 1 and recently came up with OAuth 2 support.
示例:Dropbox仍然使用OAuth 1,最近提供了OAuth 2支持。
Back to Answer, As, peterpan stated, its is a token based way of authentication is one time thing and out of the equation.These tokens are expired or that power is given to the developer in some cases.
回到答案,正如,peterpan所说,它是一种基于令牌的认证方式,是一次性的事情,并且不在等式中。这些令牌已经过期,或者在某些情况下给予开发人员权力。
The interesting thing behind this is that, resource access scope can be defined rather than allowing the client application to keep the user names, passwords which is dangerous.
这背后的有趣之处在于,可以定义资源访问范围,而不是允许客户端应用程序保留用户名,密码是危险的。
This is the basic illustration of how this works.
这是其工作原理的基本说明。
I will update the answer after I get more details on this, since I am working in this area these days :)
我得到更多细节之后我会更新答案,因为这些天我在这个领域工作:)
#3
3
I am newbie but I will try to give logical solution for the given question.
我是新手,但我会尝试为给定的问题提供合理的解决方案。
There will be two options, [1] For every URI, http authentication will be perform where user's entered credentials will be verified and user shall access resources.
将有两个选项,[1]对于每个URI,将执行http身份验证,其中将验证用户输入的凭据并且用户将访问资源。
[2] Another approach could be, a user shall authenticated and on every authentication a unique token will be generated. Using generated token, user shall access resources.
[2]另一种方法可能是,用户应进行身份验证,并在每次身份验证时生成唯一令牌。使用生成的令牌,用户应访问资源。
Though I'm not sure which approach could be best suitable for mobile application.
虽然我不确定哪种方法最适合移动应用。
#4
2
I was searching for exactly the same thing and found google way, something like peterpan said, but through Google APIs. Try this link and Google your way through it, I am starting also! I'll post new info while I`m at it!
我正在寻找完全相同的东西,并找到谷歌的方式,像peterpan说,但通过谷歌API。尝试使用此链接和谷歌通过它,我也开始了!我会发布新的信息!
http://developer.android.com/google/auth/http-auth.html
http://developer.android.com/google/auth/http-auth.html
#5
2
Authentication example is a good place to start. Android stores credentials in the Account Manager, you can view accounts in Android's settings. This will automatically store tokens, prompt the user for credentials if expired or missing, refresh tokens etc. I find the http part of this example lacking or old. Extending android's AccountAuthenticatorActivity is a great helper to parse serialized data to the layout and back to the internet.
身份验证示例是一个很好的起点。 Android将凭据存储在客户经理中,您可以在Android的设置中查看帐户。这将自动存储令牌,如果过期或丢失,则提示用户输入凭据,刷新令牌等。我发现此示例的http部分缺少或旧。扩展android的AccountAuthenticatorActivity是一个很好的帮助,可以将序列化数据解析到布局并返回到互联网。
#6
-5
Username and passwords can be safe when placed in SharedPreferences. Using https in connecting to a server should be good enough as well.
置于SharedPreferences中时,用户名和密码可以是安全的。在连接服务器时使用https也应该足够好。
#1
40
I imagine they use a "token" based security system, so the password is actually never stored anywhere, just used the first time to authenticate. So the app initially posts the username/password (over ssl) and the server returns a token that the app stores. For subsequent sync attempts the token is sent first, the server checks it is valid, and then allows other data to be posted.
我想他们使用的是基于“令牌”的安全系统,因此密码实际上永远不会存储在任何地方,只是在第一次使用时进行身份验证。因此,应用程序最初发布用户名/密码(通过ssl),服务器返回应用程序存储的令牌。对于后续同步尝试,首先发送令牌,服务器检查它是否有效,然后允许发布其他数据。
The token should have an expiry so the server can re-request an authentication attempt.
令牌应该到期,以便服务器可以重新请求身份验证尝试。
If you hook into the sync adaptor from within the Android Framework that will give you the ability to sync and authenticate all under the hood.
如果您从Android Framework中挂钩同步适配器,那么您将能够同步和验证所有内容。
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
http://developer.android.com/training/sync-adapters/creating-sync-adapter.html
If you check the accounts under Settings on your device you'll see what I mean.
如果您在设备的“设置”下查看帐户,您会看到我的意思。
#2
14
Basically these famous use OAuth protocol (1)/ framework (2). Even though it has to be a standard, each of these had different implementations of this protocol/framework. So we have to be very careful when it comes to integration.
基本上这些着名的使用OAuth协议(1)/框架(2)。即使它必须是标准,但每个都具有此协议/框架的不同实现。因此,在集成方面我们必须非常小心。
Example: Dropbox still uses OAuth 1 and recently came up with OAuth 2 support.
示例:Dropbox仍然使用OAuth 1,最近提供了OAuth 2支持。
Back to Answer, As, peterpan stated, its is a token based way of authentication is one time thing and out of the equation.These tokens are expired or that power is given to the developer in some cases.
回到答案,正如,peterpan所说,它是一种基于令牌的认证方式,是一次性的事情,并且不在等式中。这些令牌已经过期,或者在某些情况下给予开发人员权力。
The interesting thing behind this is that, resource access scope can be defined rather than allowing the client application to keep the user names, passwords which is dangerous.
这背后的有趣之处在于,可以定义资源访问范围,而不是允许客户端应用程序保留用户名,密码是危险的。
This is the basic illustration of how this works.
这是其工作原理的基本说明。
I will update the answer after I get more details on this, since I am working in this area these days :)
我得到更多细节之后我会更新答案,因为这些天我在这个领域工作:)
#3
3
I am newbie but I will try to give logical solution for the given question.
我是新手,但我会尝试为给定的问题提供合理的解决方案。
There will be two options, [1] For every URI, http authentication will be perform where user's entered credentials will be verified and user shall access resources.
将有两个选项,[1]对于每个URI,将执行http身份验证,其中将验证用户输入的凭据并且用户将访问资源。
[2] Another approach could be, a user shall authenticated and on every authentication a unique token will be generated. Using generated token, user shall access resources.
[2]另一种方法可能是,用户应进行身份验证,并在每次身份验证时生成唯一令牌。使用生成的令牌,用户应访问资源。
Though I'm not sure which approach could be best suitable for mobile application.
虽然我不确定哪种方法最适合移动应用。
#4
2
I was searching for exactly the same thing and found google way, something like peterpan said, but through Google APIs. Try this link and Google your way through it, I am starting also! I'll post new info while I`m at it!
我正在寻找完全相同的东西,并找到谷歌的方式,像peterpan说,但通过谷歌API。尝试使用此链接和谷歌通过它,我也开始了!我会发布新的信息!
http://developer.android.com/google/auth/http-auth.html
http://developer.android.com/google/auth/http-auth.html
#5
2
Authentication example is a good place to start. Android stores credentials in the Account Manager, you can view accounts in Android's settings. This will automatically store tokens, prompt the user for credentials if expired or missing, refresh tokens etc. I find the http part of this example lacking or old. Extending android's AccountAuthenticatorActivity is a great helper to parse serialized data to the layout and back to the internet.
身份验证示例是一个很好的起点。 Android将凭据存储在客户经理中,您可以在Android的设置中查看帐户。这将自动存储令牌,如果过期或丢失,则提示用户输入凭据,刷新令牌等。我发现此示例的http部分缺少或旧。扩展android的AccountAuthenticatorActivity是一个很好的帮助,可以将序列化数据解析到布局并返回到互联网。
#6
-5
Username and passwords can be safe when placed in SharedPreferences. Using https in connecting to a server should be good enough as well.
置于SharedPreferences中时,用户名和密码可以是安全的。在连接服务器时使用https也应该足够好。