0

I am implementing JavaScript based Google or Facebook OAuth for a client login system, where I hope to use the Access Token and Email Id combination returned from Google/Facebook after successful authentication of the user to create session on the Server. I have a .NET based server application. I am hoping to send this Access Token and Email Id combination using some AJAX methods like $.ajax and creating a session for this email id on the server end.

Now I have a limitation, my server is behind a firewall and it cannot contact Google/Facebook to validate the access token.

One of my colleague pointed me out that as there is no communication between my Server and Google/Facebook, any malicious user can send me user A's email id with any random access token, and I have no way to check the validity of this token whether it actually belongs to User A.

My server is using SSL communication. So, how can I make this scenario secure.

4

2 回答 2

1

您可以按照此处所述请求 ID 令牌Cloud endpoints oauth2 error

这包含 JWT 中的签名用户 ID 和电子邮件。

本文可能会有所帮助https://support.zendesk.com/entries/23675367-Setting-up-single-sign-on-with-JWT-JSON-Web-Token-

免责声明:我个人没有尝试过任何这些。另外,正如蒂姆所说,您确定不能从防火墙后面呼叫吗?

于 2013-10-02T01:48:43.463 回答
1

我认为您不应该使用无法验证的令牌。如果您无法联系 IDP 来验证令牌,我认为您的应用程序无法运行。有点奇怪,大部分防火墙都让你呼出不让别人呼入。

于 2013-10-01T21:39:24.027 回答