Omniauth策略-在共享系统上管理多个用户
我知道会得到什么答案,但是我只想试试运气.以Facebook为例,我正在使用omniauth-facebook允许用户登录到我的站点.登录后,用户可以在此站点上设置一些隐私数据.
I know what answers are going to be, but I just want to try my luck. Taking Facebook as an example say, I am using omniauth-facebook to allow users to log in to my site. Upon logging in, user may set up some privacy data on this site.
在一个场景中,我有2个用户U1和U2.他们俩都分别在我的站点上使用Facebook登录并分别授权了该应用程序.现在考虑使用共享系统,U1进入我的站点,单击Login using Facebook,对自己进行身份验证,一切正常. U1离开但不从Facebook注销.现在出现U2,单击Login using Facebook,并使用U1的凭据自动登录.我在任何时候都不会存储用户的access_token.
Taking up a scenario, I have 2 users U1 and U2. They both have individually logged in using Facebook at my site and have respectively authorized the app. Now considering a shared system, U1 comes to my site, clicks on Login using Facebook, authenticates herself and everything's okay. U1 leaves but doesn't log outs from Facebook. Now U2 comes, clicks on Login using Facebook and is automatically logged in using U1's credentials. I am not storing user's access_token at any point.
有什么办法可以阻止这种情况的发生?我能想到的最好的办法是在FB身份验证和我的站点的回调之间添加一个中间页,并询问用户这是否是FB的目标用户.如果是这样,请继续,否则请带她进入登录页面.但这并不能解决U2仍然可以看到U1的页面的事实.
Is there any way I can stop this from happening? The best I can come up with is add an intermediary page, in between authentication from FB and callback at my site, and ask user if this is the intended user from FB for her. If so, continue, else take her to login page. But this doesn't deal with the fact that U2 can still see U1's page.
任何输入将不胜感激.
我的目标是Facebook,Twitter,LinkedIn和Google.因此,我正在寻找一个通用的解决方案.我知道Facebook和Twitter可以进行强制身份验证,但是我想实现一个通用的解决方案.
I am targeting Facebook, Twitter, LinkedIn and Google. So I am looking for a common solution. I know there is a possibility of force-authentication for Facebook and Twitter, but I would like to implement a common solution.
Facebook(和omniauth-facebook)提供了选项auth_type来防止这种情况:
Facebook (and omniauth-facebook) provides the option auth_type to prevent just that:
use OmniAuth::Builder do
provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'],
:auth_type => 'reauthenticate'
end
使用此选项,当用户尝试使用Facebook登录到您的服务时,将要求其输入密码.查看 gem的文档以获取更多信息.
With this option, the user will be asked to enter his password when he trying to log in to your service using Facebook. Check out the gem's documentation for more information.
最后一点:该选项仅适用于omniauth-facebook.其他OmniAuth提供程序可能具有类似的选项,但其他可能根本没有.例如,Twitter具有force_login选项,当设置为true时,它将从Twitter注销用户.有时这就是您想要的,有时不是.从其他服务中注销用户可能会很麻烦.我实际上希望所有提供商都具有这两个选项,以便我们可以选择使用哪个选项(从外部服务中注销用户,或者再次要求输入密码),但是我想我们必须对我们所提供的内容感到满意有.例如,据我所知,谷歌对此风险无能为力.
One final note: this option only exists for omniauth-facebook. Other OmniAuth providers may have similar options, but others may have none at all. For example, Twitter has a force_login option that when set to true will logout the user from Twitter. Sometimes this is what you want, sometimes it is not. Logging out the user from other services can be quite bothersome. I'd actually like if all providers had these two options so we could choose which one to use (log out the user from the external service OR just ask for the password again) but I guess we'll have to be content with what we have. For example, as far as I know, Google has no protection for this risk.