Facebook OAuth安全性使用护照
我目前正在使用客户端React组件,以使用户通过我的应用程序中的OAuth登录到Facebook.在服务器端,我使用npm包 passport-facebook-token 进行验证成功登录客户端后, accessToken 的真实性.
I am currently using a client-side React component to have a user login to Facebook via OAuth in my application. On the server-side, I use the npm package passport-facebook-token to validate the authenticity of the accessToken after a successful client-side login.
我不常看到的一种做法是,除了询问Facebook accessToken 是否有效之外,服务器是否还应检查客户端有效负载提供的电子邮件是否与收到的电子邮件匹配?从Facebook回来吗?请允许我使用定义的客户端/服务器技术来说明我的问题:
One practice I do not see often is in addition to asking Facebook if the accessToken is valid, shouldn't the server also check if the email provided by the client's payload matches the e-mail coming back from Facebook? Allow me to use defined client/server technologies to illustrate my question:
1)用户使用客户端上的React组件向Facebook进行身份验证.
1) User uses React component on the client to authenticate with Facebook.
2)React组件成功通过Facebook进行身份验证,并使用访问令牌和用户的电子邮件向服务器发出HTTP请求.
2) React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
3)运行Node.JS和Passport-facebook的服务器现在需要直接从Facebook验证访问令牌的真实性.Facebook不在乎电子邮件.它将仅验证访问令牌.
3) The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token.
4)Facebook向Node.js返回响应,以确认访问令牌的真实性.响应还包含有关用户的其他元数据,包括他们的电子邮件和其他个人资料数据.
4) Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
我的问题是,Node.js是否应该接收也从Facebook的访问令牌验证有效负载中返回的电子邮件,并确认这是从React客户端返回的电子邮件?这是否不会阻止某人强行强制使用 accessToken ,并要求他们不仅具有 accessToken ,而且还知道 accessToken 属于谁?这可能会阻止用户向尝试不同访问令牌的Node.js服务器提交一堆HTTP POST请求.他们不仅必须猜测分配给应用程序的clientID的访问令牌,而且还必须知道它属于的电子邮件.这是一种过度设计的方法吗?
My question is, should Node.js take the email that's also coming back from Facebook's access token verification payload, and verify that it is what came back from the React client? Would this not prevent someone from brute-forcing an accessToken and require them to not only have an accessToken but also know who the accessToken belongs to? This could prevent a user from submitting a bunch of HTTP POST requests to the Node.js server attempting different access tokens. They would not only have to guess an access token assigned to the application's clientID, but also know the e-mail it belongs to. Is this an over-engineered approach?
您用来验证电子邮件以及令牌的方法有点多余,因为Facebook的 opaque 用户访问令牌与邮件固有地联系在一起
Your approach to validate the email as well as the token is a bit superfluous because Facebook's opaque user access tokens are inherently tied to email.
来自 Facebook
访问令牌是不透明的字符串,用于标识用户,应用程序或页面
An access token is an opaque string that identifies a user, app, or Page
不透明"由Auth0定义此处
"opaque" is defined by Auth0 here
不透明访问令牌是专有格式的令牌,通常包含服务器永久性存储中信息的某些标识符
Opaque Access Tokens are tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage
在您的情况下,标识符是用户的电子邮件,并且服务器属于Facebook.
In your case, the identifier is the user's email, and the server belongs to Facebook.
我将进一步阐述.这是您逐步进行的一些修改:
I will elaborate further. Here is your step by step with some edits:
-
用户使用客户端上的React组件向Facebook进行身份验证,将其电子邮件和密码 直接输入到Facebook .登录成功后,React组件会从Facebook 获取令牌.
User uses React component on the client to authenticate with Facebook, inputting both their email and password directly to Facebook. React component gets the token from Facebook on login success.
反应组件成功通过Facebook进行身份验证,并使用访问令牌和用户的电子邮件向服务器发送HTTP请求.
React component successfully authenticates with Facebook and fires an HTTP request to the server with an access token and the user's email.
运行Node.JS和Passport-facebook的服务器现在需要直接从Facebook验证访问令牌的真实性.Facebook不在乎电子邮件.它将仅验证访问令牌,因为 访问令牌已与电子邮件绑定.
The server, running Node.JS and passport-facebook, now needs to verify the authenticity of the access token directly from Facebook. Facebook does not care for an e-mail. It will just verify the access token because the access token is already tied to the email.
Facebook向Node.js返回响应,以确认访问令牌的真实性.响应还包含有关用户的其他元数据,包括他们的电子邮件和其他个人资料数据.
Facebook returns a response to Node.js confirming the authenticity of the access token. The response also contains other metadata about the user, including their email and other profile data.
这是Facebook的漏洞赏金计划.如果他们的OAuth确实像需要第二次电子邮件验证一样容易破解,那么该动机几乎会立即对其进行修补.
This is Facebook's bug bounty program. If their OAuth was really as cracked as to require a second email validation, it would have been patched almost immediately by this incentive.