How can I ensure the legality of the app's APIs?

Source: Internet
Author: User
Tags oauth
I searched some app-specific user authentication solutions on google and compared cookie authentication in the traditional PC era. I thought it was not reasonable. I thought of a solution and I don't know if it was reasonable? This is probably the requirement. users log on to a third party and use the oauth interface to log on to our app. Large... I searched some app-specific user authentication solutions on google and compared cookie authentication in the traditional PC era. I thought it was not reasonable. I thought of a solution and I don't know if it was reasonable?

This is probably the requirement. users log on to a third party and use the oauth interface to log on to our app.

The general process is as follows:

  1. The user first logs on to a third party, then the client obtains the user's data and returns it to the server over https. The transmitted data is as follows:
{    “user_id”:”123123123” ,    “access_token”:”accesstokenstrng”,    “platform”:”qq”,    “platform_name”:”xxx”,}

2. After the authentication is successful on the server, you can obtain further data and create a user.
3. The server then stores user_id, logon status information, and dynamically generated secret encrypted strings in sessions and other places.
4. The server returns session_id and secret to the client and stores the secret in the memory.
5. Now, the user is successfully created and the https connection ends.

6. All subsequent requests involving backend additions, deletions, and modifications follow the http protocol. When sending data, the client first uses secret to sign the transmitted data and brings the signature and session_id together.
7. The server finds user data based on session_id and uses secret to sign the data. If the two are the same, the data is valid. Then, you can proceed to the general business logic.

Two more problems are involved:
1. Is the initial https on the client and server necessary? In fact, I can fully build the secret into the app.
2. I use secret to sign data. It seems that there is no difference between using https as a public key and private key?

Possible duplicate problems: using PHP for server interface client POST for http access security

Reply content:

I searched some app-specific user authentication solutions on google and compared cookie authentication in the traditional PC era. I thought it was not reasonable. I thought of a solution and I don't know if it was reasonable?

This is probably the requirement. users log on to a third party and use the oauth interface to log on to our app.

The general process is as follows:

  1. The user first logs on to a third party, then the client obtains the user's data and returns it to the server over https. The transmitted data is as follows:
{    “user_id”:”123123123” ,    “access_token”:”accesstokenstrng”,    “platform”:”qq”,    “platform_name”:”xxx”,}

2. After the authentication is successful on the server, you can obtain further data and create a user.
3. The server then stores user_id, logon status information, and dynamically generated secret encrypted strings in sessions and other places.
4. The server returns session_id and secret to the client and stores the secret in the memory.
5. Now, the user is successfully created and the https connection ends.

6. All subsequent requests involving backend additions, deletions, and modifications follow the http protocol. When sending data, the client first uses secret to sign the transmitted data and brings the signature and session_id together.
7. The server finds user data based on session_id and uses secret to sign the data. If the two are the same, the data is valid. Then, you can proceed to the general business logic.

Two more problems are involved:
1. Is the initial https on the client and server necessary? In fact, I can fully build the secret into the app.
2. I use secret to sign data. It seems that there is no difference between using https as a public key and private key?

Possible duplicate problems: using PHP for server interface client POST for http access security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.