Simple scenario, let's say a user has two email addresses:
简单的场景是,假设用户有两个电子邮件地址:
[email protected]
[email protected]
I want to authenticate both email addresses. All of the examples in the docs involve storing one oauth token per user account, e.g.:
我想验证这两个电子邮件地址。文档中的所有示例都涉及为每个用户帐户存储一个OAuth令牌,例如:
class CredentialsModel(models.Model):
id = models.ForeignKey(User, primary_key=True)
credential = CredentialsField()
So if a single user account on my website has multiple associated email addresses, do I still store one oauth2 credential for that user? Or do I need to use the email address as the primary key instead of using the user id as a foreign key? Right now I'm storing a different credential for each email address, although when I look in the database the credential looks the same for both of my email addresses. I'm not sure if I'm just doing something wrong or what.
那么,如果我的网站上的一个用户帐户有多个关联的电子邮件地址,我是否仍然为该用户存储一个OAuth2凭据?或者,我是否需要使用电子邮件地址作为主键,而不是使用用户ID作为外键?现在,我为每个电子邮件地址存储了不同的凭据,尽管当我在数据库中查找时,两个电子邮件地址的凭据看起来是相同的。我不确定我是不是做错了什么。
Secondly, I realize this is a basic question, but when a user authorizes an email address, how do I know which email address they have authorized? I'm using the google-api-python-client to do all the validation, but I don't see anything in the python docs about how to do this.
其次,我意识到这是一个基本的问题,但当用户授权电子邮件地址时,我如何知道他们授权了哪个电子邮件地址?我使用google-api-python-client来执行所有的验证,但我在python文档中看不到任何关于如何执行此操作的内容。
更多回答
The given example class does not imply that there can be only one token per user. The user is a ForeignKey
, so there can be many CredentialsModel
instances per User
. On the other hand the application code has to support that as well.
给定的示例类并不意味着每个用户只能有一个令牌。用户是ForeignKey,因此每个用户可以有多个CredentialsModel实例。另一方面,应用程序代码也必须支持这一点。
Any hints on how to support that in my application code? The python docs only give the examples of Storage.get() for retrieving keys, but there isn't any example of how to then associate a key with a given email address.
有什么关于如何在我的应用程序代码中支持它的提示吗?Python文档只给出了检索关键字的Storage.get()的示例,但没有任何示例说明如何将关键字与给定的电子邮件地址相关联。
优秀答案推荐
OAuth never "entertains" user authentication at all. It's up to the service provider to worry about it. All that OAuth provide is that the consumer (in this case, your application) can have access to the resource authorized by the user (after a successful authentication to the service provider provided by the service provider itself).
OAuth根本不“接受”用户身份验证。这是由服务提供商来担心的。OAuth所提供只是使用者(在本例中是您的应用程序)可以访问用户授权的资源(在对服务提供者本身提供的服务提供者成功进行身份验证之后)。
The OAuth 2 credentials must be linked to the application that registered to the service provider through the oauth 2 endpoint.
OAuth 2凭据必须链接到通过OAuth 2端点注册到服务提供商的应用程序。
Secondly, I realize this is a basic question, but when a user
authorizes an email address, how do I know which email address they
have authorized?
You don't. The service provider does the authentication. This is to prevent 3rd party authentication by any 3rd party mechanism. Your application must just worry about getting an access token (which does expire) and what services it has access to. Receiving an access token is a "guarantee" that the user has successfully authenticated and has authorized your application in obtaining your protected resources.
您不需要。服务提供商进行身份验证。这是为了防止任何第三方机制进行第三方身份验证。您的应用程序只需考虑获取访问令牌(该令牌已过期)以及它可以访问哪些服务。收到访问令牌是对用户已成功进行身份验证并授权您的应用程序获取受保护资源的“保证”。
I know this question is ancient, but I'm here and the problem is evergreen.
我知道这个问题由来已久,但我在这里,问题是常青树。
My way around this problem:
I've amended my Identity Provider to collect multiple email addresses, and allow verification of them.
The app doesn't allow manual registrations, only oauth registrations. Then there's no e-mail matching, it's just matching the user ID.
The verified emails are passed through in the user object (the app needs them to match invites to teams).
My identity provider doesn't allow registration via other identity providers, just linking; and then you can 1-click logon.
我解决这个问题的方法:我修改了我的身份提供商,收集多个电子邮件地址,并允许对它们进行验证。这款应用不允许手动注册,只允许OAuth注册。然后没有电子邮件匹配,它只是匹配用户ID。验证的电子邮件在User对象中传递(应用程序需要它们将邀请匹配到团队)。我的身份提供商不允许通过其他身份提供商注册,只允许链接;然后您可以单击登录。
It's not perfect, but it's good and it avoids creating dead user profiles and trying to merge them later.
它不是完美的,但它很好,而且它避免了创建死用户配置文件并在以后尝试合并它们。
更多回答
Thanks. To get back to my original question though, if a user in the client application has multiple email addresses they need to authenticate, each email address would need a separate oauth credential, correct? (As opposed to one credential being able to authenticate multiple google accounts.)
谢谢。回到我最初的问题,如果客户端应用程序中的用户有多个需要身份验证的电子邮件地址,每个电子邮件地址都需要单独的OAuth凭据,对吗?(而不是一个凭据可以验证多个谷歌账户。)
The service provider must manage the link of access token (for the OAuth consumer) to the user. How the service provider manages it is dependent only to the service provider. One would map the access token to the authenticated user ID but that all depends on how the service provider manages authentication and access token management.
服务提供商必须管理访问令牌(用于OAuth消费者)到用户的链接。服务提供商如何管理它仅取决于服务提供商。可以将访问令牌映射到经过身份验证的用户ID,但这完全取决于服务提供商如何管理身份验证和访问令牌管理。
我是一名优秀的程序员,十分优秀!