For my site I am using a login system much like the one on SO. A user can login with his Facebook, Google (Gmail openID), Twitter account.
对于我的网站,我使用的登录系统很像SO上的登录系统。用户可以使用他的Facebook,Google(Gmail openID),Twitter帐户登录。
This question is not about specific oAuth or openID implementations.
这个问题与特定的oAuth或openID实现无关。
The question is how to know if the same user logins with different providers.
问题是如何知道同一用户是否使用不同的提供程序登录。
Let me give an example:
让我举个例子:
Bobo comes to site logins to site by clicking on "Login with Facebook". Because this is his first visit we create an account for him.
Bobo点击“使用Facebook登录”访问网站登录网站。因为这是他第一次访问,我们为他创建了一个帐户。
Later Bobo comes to the site. This time he clicks on "Login with Google". So how do I know if this is the same person so I can add this provider to his account instead of creating a new (and duplicate) account.
后来Bobo来到了这个网站。这次他点击“使用Google登录”。那么我怎么知道这是否是同一个人,所以我可以将这个提供者添加到他的帐户,而不是创建一个新的(和重复的)帐户。
Can I trust solely on email?
我可以完全信任电子邮件吗?
What is the best way to handle this. How does SO do it?
处理这个问题的最佳方法是什么。 SO怎么做的?
Any ideas?
Edit: If I trust on email is there a possibility that the same email can be used by different users? Can this be a security issue?
编辑:如果我信任电子邮件,是否有可能不同用户使用相同的电子邮件?这可能是一个安全问题吗?
3 个解决方案
#1
1
I think you can't really know this unless the user explicitly says it's Bobo again. His FB and Google OpenID identities may have completely different info (as do mine). Only Bobo knows that these belong to the same person.
我认为除非用户再次明确表示它是Bobo,否则你无法真正了解这一点。他的FB和Google OpenID身份可能有完全不同的信息(我的也是如此)。只有波波知道这些属于同一个人。
See how it's done here at SO: you log in with OpenID, then you can link another OpenID to your account. Hint your user do so, too. Provide a large enough "I already have an account here" button in the login process.
看看它是如何在SO处完成的:您使用OpenID登录,然后您可以将另一个OpenID链接到您的帐户。提示您的用户也这样做。在登录过程中提供足够大的“我已在此处拥有帐户”按钮。
#2
0
Unless both accounts provide the same email address, you would not be able to reliably determine that they were both the same user.
除非两个帐户都提供相同的电子邮件地址,否则您将无法可靠地确定它们都是同一个用户。
If you want a user to be able to login with multiple oAuth/OpenID accounts, you could provide a mechanism to allow the user to add additional authentications from their user account.
如果您希望用户能够使用多个oAuth / OpenID帐户登录,则可以提供一种机制,允许用户从其用户帐户添加其他身份验证。
#3
0
Go to your profile on this site, there, above your details, you will see 2 links: edit | add openid
转到您在此网站上的个人资料,在您的详细信息上方,您将看到2个链接:编辑|添加openid
Usually you will have 1 user = 1 login details (login/password stored together with the rest of info). In this multi-id situation you have to store login details separately (1 user may have more than 1 login id). Simple 1-to-many relation between DB tables.
通常,您将拥有1个用户= 1个登录详细信息(登录/密码与其余信息一起存储)。在这种多id情况下,您必须单独存储登录详细信息(1个用户可能具有多个登录ID)。 DB表之间简单的一对多关系。
#1
1
I think you can't really know this unless the user explicitly says it's Bobo again. His FB and Google OpenID identities may have completely different info (as do mine). Only Bobo knows that these belong to the same person.
我认为除非用户再次明确表示它是Bobo,否则你无法真正了解这一点。他的FB和Google OpenID身份可能有完全不同的信息(我的也是如此)。只有波波知道这些属于同一个人。
See how it's done here at SO: you log in with OpenID, then you can link another OpenID to your account. Hint your user do so, too. Provide a large enough "I already have an account here" button in the login process.
看看它是如何在SO处完成的:您使用OpenID登录,然后您可以将另一个OpenID链接到您的帐户。提示您的用户也这样做。在登录过程中提供足够大的“我已在此处拥有帐户”按钮。
#2
0
Unless both accounts provide the same email address, you would not be able to reliably determine that they were both the same user.
除非两个帐户都提供相同的电子邮件地址,否则您将无法可靠地确定它们都是同一个用户。
If you want a user to be able to login with multiple oAuth/OpenID accounts, you could provide a mechanism to allow the user to add additional authentications from their user account.
如果您希望用户能够使用多个oAuth / OpenID帐户登录,则可以提供一种机制,允许用户从其用户帐户添加其他身份验证。
#3
0
Go to your profile on this site, there, above your details, you will see 2 links: edit | add openid
转到您在此网站上的个人资料,在您的详细信息上方,您将看到2个链接:编辑|添加openid
Usually you will have 1 user = 1 login details (login/password stored together with the rest of info). In this multi-id situation you have to store login details separately (1 user may have more than 1 login id). Simple 1-to-many relation between DB tables.
通常,您将拥有1个用户= 1个登录详细信息(登录/密码与其余信息一起存储)。在这种多id情况下,您必须单独存储登录详细信息(1个用户可能具有多个登录ID)。 DB表之间简单的一对多关系。