保护Google Cloud Endpoint免受未授权用户的侵害

时间:2021-08-14 23:12:50

I managed to implement the auth function described by google using a clientid.

我设法使用clientid实现谷歌描述的auth功能。

So when visiting the html page, one gets asked to authenticate with a google account.

因此,当访问html页面时,会要求用Google帐户进行身份验证。

Question: As it is now, everyone can use the site, as long as he/she has a Google account to authenticate with. How do i restrict the usage to a certain group of users? Do i need to manage a list of unique user ids provided by the User object? Or is there already something prebuild, that i can make use of?

问题:就像现在一样,每个人都可以使用该网站,只要他/她有一个Google帐户进行身份验证即可。如何限制特定用户群的使用?我是否需要管理User对象提供的唯一用户ID列表?或者是否有预制的东西,我可以利用?

1 个解决方案

#1


0  

I think the safest would be to keep a list of Ids. What are the basis that you expect google or anyone else to know what kind of users you want to allow?

我认为最安全的是保留一个ID列表。您希望Google或其他任何人知道您希望允许哪类用户的基础是什么?

Even if its only geographic there are times when people might be using proxies or using yor site from a remote location.

即使它只有地理位置,人们可能会使用代理或从远程位置使用yor站点。

The site you linked to also says so much :

您链接的网站也说了这么多:

Specifying Authorized Clients in the API Backend

在API后端中指定授权客户端

You must specify which clients are allowed to access the API backend by means of a whitelist of client IDs. A client ID is generated by the Google API console from a client secret, such as the SHA1 fingerprint of a key used to secure an Android app, or from the Bundle ID/Apple Store ID pair for an iOS app, as described in Creating OAuth 2.0 Client IDs. At runtime, a client app is granted the authorization token it needs to send requests to the API backend if its client secret matches one contained in a client ID within the API backend's client ID whitelist.

您必须通过客户端ID白名单指定允许哪些客户端访问API后端。客户端ID由Google API控制台根据客户端密钥生成,例如用于保护Android应用的密钥的SHA1指纹,或用于iOS应用的Bundle ID / Apple Store ID对,如创建OAuth中所述2.0客户端ID。在运行时,如果客户端应用程序的客户机密钥与API后端的客户机ID白名单中的客户机ID中包含的客户机密钥匹配,则会向客户机应用程序授予向API后端发送请求所需的授权令牌。

Also its only common authentication (who is it), authorization (what they can do on your site) comes from you.

它也是唯一的通用身份验证(谁是它),授权(他们可以在您的网站上执行的操作)来自您。

#1


0  

I think the safest would be to keep a list of Ids. What are the basis that you expect google or anyone else to know what kind of users you want to allow?

我认为最安全的是保留一个ID列表。您希望Google或其他任何人知道您希望允许哪类用户的基础是什么?

Even if its only geographic there are times when people might be using proxies or using yor site from a remote location.

即使它只有地理位置,人们可能会使用代理或从远程位置使用yor站点。

The site you linked to also says so much :

您链接的网站也说了这么多:

Specifying Authorized Clients in the API Backend

在API后端中指定授权客户端

You must specify which clients are allowed to access the API backend by means of a whitelist of client IDs. A client ID is generated by the Google API console from a client secret, such as the SHA1 fingerprint of a key used to secure an Android app, or from the Bundle ID/Apple Store ID pair for an iOS app, as described in Creating OAuth 2.0 Client IDs. At runtime, a client app is granted the authorization token it needs to send requests to the API backend if its client secret matches one contained in a client ID within the API backend's client ID whitelist.

您必须通过客户端ID白名单指定允许哪些客户端访问API后端。客户端ID由Google API控制台根据客户端密钥生成,例如用于保护Android应用的密钥的SHA1指纹,或用于iOS应用的Bundle ID / Apple Store ID对,如创建OAuth中所述2.0客户端ID。在运行时,如果客户端应用程序的客户机密钥与API后端的客户机ID白名单中的客户机ID中包含的客户机密钥匹配,则会向客户机应用程序授予向API后端发送请求所需的授权令牌。

Also its only common authentication (who is it), authorization (what they can do on your site) comes from you.

它也是唯一的通用身份验证(谁是它),授权(他们可以在您的网站上执行的操作)来自您。