如何在不输入用户名和密码来验证一个移动应用程序?输入用户名、应用程序、密码、如何在
我要建一个使用OpenID的用户进行身份验证,就像Stackoverlfow做web应用程序。将有一个移动应用程序也是如此,例如, Android或iPhone。这些应用程序必须进行身份验证或登录莫名其妙,访问数据,并且属于用户更新的东西。由于没有用户名和密码的人能提供验证移动设备,我不知道如何来实现这一目标。
I'm building a Webapp that uses OpenId to authenticate users, like Stackoverlfow does. There will be a mobile App too, e.g. Android or iPhone. These Apps have to authenticate or login somehow, to access data and update stuff that belongs to the user. Since there is no username and password one could provide to authenticate the mobile device, I wonder how to achieve this.
两种方式进入了我的脑海里:
Two ways came into my mind:
生成,必须在设备上输入服务器上的一些关键。该密钥将被发送为auth-键,当移动设备发送或请求数据,用户可以链接的方式。使用此选项时,关键要以某种方式传输给用户,让他不必键入它。通过电子邮件,手机短信或通过扫描棒code可能。
Generate some key on the server that must be entered on the device. This key will be send as auth-key when the mobile device sends or requests data and the user can be linked that way. When using this Option, the key should be transported somehow to the user, so he doesn't have to type it in. Maybe via email, SMS or by scanning a barcode.
移动应用程序使用浏览器或显示了一个集成的Web面板打开web应用程序的特殊页面。在这个页面上,用户登录的,并可能会允许移动应用程序来读取和写入数据。
The mobile App uses the Browser or shows an integrated Web-Panel that opens a special page of the Webapp. On this page, the user has to login in, and could then allow the mobile App to read and write data.
我的问题是:这两种方式可能并保存?哪一个你会preFER?有什么需要注意的细节?是否有其他方法可以做到这一点?如果我得到了这一切的权利,就不可能对设备使用的OpenID,并链接了移动和Web应用程序的方式,对吧?
My question is: Are both ways possible and save? Which one would you prefer? What are the details to watch out for? Are there any other ways to do this? If I got it all right, it would not be possible to use OpenId on the Device, and link the mobile and the webapp that way, right?
推荐答案
我也做了以下来实现这一点:
I have done the following to achieve this:
当应用程序第一次启动时,我测试,如果 有一个认证令牌和 如果它仍然是有效的 如果没有,我用[startActivityForResult] [1]打开我的登录活动 在该LoginActivity使用的WebView 并打开验证应用程序从Web应用程序页面(如 https://www.yourdomain.com/authapp )。 如果用户没有登录到Web应用程序,他现在已经做到这一点。成功登录后,他被重定向到验证应用程序页 在验证应用程序页包含文本您想移动应用程序来访问你的数据和许可和取消按钮。 如果用户点击许可的web应用程序generats一个认证令牌,其写入DATABSE并重定向到一个响应页面,所生成的认证令牌附加到URL(例如 https://www.yourdomain.com/authresponse?auth_token=dshf84z4388f4h )该移动应用程序从URL中提取令牌和交谈时,服务器使用它进行认证。 When the App first starts, I test if there is an authentication token and if it is still valid If not, I use [startActivityForResult][1] to open my login activity The LoginActivity uses a WebView and opens the "authenticate app" page (e.g. https://www.yourdomain.com/authapp) from the web application. If the user is not logged into the webapp, he has to do this now. Upon successful login, he gets redirected to the "authenticate app" page The "authenticate app" page contains the text "would you like the mobile app to access you data" and a "grant" and "cancel" button. If the user hits "grant" the web app generats a authentication token, writes it to the databse and redirects to a response page, attaching the generated authentication token to the URL (e.g. https://www.yourdomain.com/authresponse?auth_token=dshf84z4388f4h)
The mobile application extracts the token from the URL and uses it for authentication when talking to the server.
在WebLogin活动如下:(注:你必须重写shouldOverrideUrlLoading留在同一个web视图,否则,一个新的浏览器打开时,您会收到一些重定向)
The WebLogin Activity looks like this: (note: you have to override "shouldOverrideUrlLoading" to stay in the same WebView. Otherwise, a new browser is open when you receive some redirect)
公共类WebLogin延伸活动{
public class WebLogin extends Activity {
@覆盖 保护无效的onCreate(包savedInstanceState){ super.onCreate(savedInstanceState);
@Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState);
WebView webview = new WebView(this);
webview.setWebViewClient(new WebViewClient() {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url){
view.loadUrl(url);
return true;
}
@Override
public void onPageFinished(WebView view, String url) {
if(StringUtils.contains(url, "?auth_token=")){
// extract and save token here
setResult(RESULT_OK);
finish();
}
}
}); webview.loadUrl(https://www.yourdomain.com/authapp); webview.getSettings()setJavaScriptEnabled(真)。 的setContentView(web视图);
}); webview.loadUrl("https://www.yourdomain.com/authapp"); webview.getSettings().setJavaScriptEnabled(true); setContentView(webview);
} }
请注意,我使用https,使这个拯救。如果使用普通的http协议,你可以阅读和窃取用户的令牌。
Note, I use https to make this save. If you use plain http, one could read and steal the token of a user.
[1]:http://developer.android.com/reference/android/app/Activity.html#startActivityForResult(android.content.Intent, INT)
[1]: http://developer.android.com/reference/android/app/Activity.html#startActivityForResult(android.content.Intent, int)
