0

我可能遗漏了一些非常愚蠢的东西,并且在Google Federated Login文档中遗漏了它,但是 Google OpenID 登录对于请求站点来说实际上是安全的吗?请求站点如何知道详细信息来自 Google 而不仅仅是在 URL 中输入查询字符串参数的人?

为了说明,我在 PHP 中实现了一个基本的 OpenID 登录序列,似乎返回的只是 URL 中的一堆查询字符串参数,我可以使用这些参数来获取 OpenID 详细信息,效果很好。问题是,如果我只是在地址栏中手动输入这些内容而没有实际使用 Google 登录,我的请求站点如何知道其中的区别?

一、索取资料的表格:

<form method='post' action='https://www.google.com/accounts/o8/ud'>

    <input type='hidden' name='openid.return_to' value='http://www.example/com/logged-in' />

    <input type='hidden' name='openid.mode' value='checkid_setup' />
    <input type='hidden' name='openid.ns' value='http://specs.openid.net/auth/2.0' />
    <input type='hidden' name='openid.claimed_id' value='http://specs.openid.net/auth/2.0/identifier_select' />
    <input type='hidden' name='openid.identity' value='http://specs.openid.net/auth/2.0/identifier_select' />

    <input type='hidden' name='openid.ns.ax' value='http://openid.net/srv/ax/1.0' />
    <input type='hidden' name='openid.ax.mode' value='fetch_request' />
    <input type='hidden' name='openid.ax.required' value='email,firstname,lastname' />
    <input type='hidden' name='openid.ax.type.email' value='http://axschema.org/contact/email' />
    <input type='hidden' name='openid.ax.type.firstname' value='http://axschema.org/namePerson/first' />
    <input type='hidden' name='openid.ax.type.lastname' value='http://axschema.org/namePerson/last' />

    <input type='submit' value='Login With Google Account' />

</form>

http://www.example.com/logged-in...效果很好,用一大堆 URL 参数将我发送回请求站点,如下所示(来自 PHPprint_r调用):

Array
(
    [openid_ns] => http://specs.openid.net/auth/2.0
    [openid_mode] => id_res
    [openid_return_to] => http://www.example.com/logged-in
    [openid_ext1_type_firstname] => http://axschema.org/namePerson/first
    [openid_ext1_value_firstname] => {user's first name}
    [openid_ext1_type_email] => http://axschema.org/contact/email
    [openid_ext1_value_email] => {user's e-mail address}
    [openid_ext1_type_lastname] => http://axschema.org/namePerson/last
    [openid_ext1_value_lastname] => {user's last name}
)

...这太棒了,但我怎么知道这实际上是一个合法的请求,而不是有人在地址栏中输入上述参数?

感谢您的帮助,如果已经问过这个问题(找不到任何副本!)并且如果我遗漏了一些明显的东西,我们深表歉意!

4

1 回答 1

1

在不涉及太多细节的情况下(如果您需要血淋淋的细节,请阅读 OpenID 规范),OpenID 协议为此提供了保护措施。您收到的断言是经过签名和可验证的,并且在 ID 的命名空间方面存在限制,以防止提供者欺骗彼此的 ID。如果您使用的是已建立的库(例如 php-openid 很好),您不必为此担心太多,因为它通常在幕后得到处理。如果你想推出自己的实现......好吧,只是不要......

That said, there are some things that aren't covered in the protocol. For example, while attributes are signed in the response, you can't assume they're accurate unless you trust the particular provider. Some apps will check the URL/hostname of the provider that made the assertion (after verifying the response) and whitelist known identity providers that do proper email verification. If you need a verified email, doing this makes for a better UX. But if the assertion is from an unknown identity provider don't assume the email address actually belongs to the user unless you verify possession yourself.

于 2012-01-26T19:27:44.010 回答