我正在实现一个 OAuth 消费者,它将在各种机顶盒上运行。其中一些不提供任何永久存储用户数据的方法。当机顶盒关闭时,所有数据都会丢失(当然,固件除外)。那我该如何存储访问令牌?要求是用户应该只进行一次身份验证,并且访问令牌具有长期有效性(直到用户自己撤销)。因此,每次打开 STB 时都进行身份验证是不可能的。在这种情况下,OAuth 是否毫无价值?我可以使用一些其他数据(例如 MAC 或一些唯一的硬件数据)而不是访问令牌吗?我知道那些可以被欺骗,但我没有任何其他想法。
啊,顺便说一句,我也在实现服务器端(服务提供者),但是由于它也将被第 3 方消费者使用,我必须为他们提供“正确的”OAuth,并且可以进行一些调整我的消费者应用程序,因为它显然是一个值得信赖的应用程序。
谢谢!
Can you have a web service on the server side (protected by SSL and digital certificate to make sure no one else can access it) that takes some unique MAC (or HW data) and returns the proper OAuth token to the STB?
So the flow would be: 1) STB boots up, sends unique HW data to server via web service to retrieve OAuth Token - If token exists, go to step 4 otherwise go to step 2 2) User does OAuth authentication at STB. 3) STB stores token in local memory and sends it via web service to server side along with some unique HW data 4) STB uses OAuth token to do normal functions 5) STB is unplugged, turned off, etc that makes it lose token from local memory Back to Step 1.
Issues to look out for: A) User returns STB since they no longer want service. You need to clear the token somehow in case another user gets that STB. You don't want new user getting old user's data B) STB break and user has to get a new one. Should they have to re-authenticate or would the token move over automatically to new unique HW data