英文:
Program access admin on GAE - oauth2
问题
我有一个GAE应用程序,其中有一个我限制为管理员的URL:
- url:/admin
script:_go_app
login:admin
我想用另一个Go程序将PUT或POST发送到此URL。我需要编写什么代码来使客户端对GAE和dev_server.py进行身份验证?有没有比模拟Web浏览器并登录更明智的方法?我不需要对其他用户进行身份验证或授权,只需要对该应用程序的管理员帐户进行身份验证。
这是OAuth吗?OAuth2?OpenID?联合登录?还是其他什么?
我意识到这是一个有点尴尬的问题,因为我甚至不确定正确提问的方式是什么。但是,我能够使用Web浏览器登录我的(管理员)Gmail帐户后,向(在此示例中)/admin发送POST请求。在这种情况下,请求(由Chrome发送)包含以下cookie:__cfduid,ACSID(以及我认为是Google Analytics ID)。其中一个应该负责我的身份验证。我该如何获得其中之一?
另外,如果有人通过http中间人攻击我的连接,他们能否通过重用该cookie劫持我的管理员会话?
英文:
I have a GAE app, with a URL I restrict to admin:
- url: /admin
script: _go_app
login: admin
I want to PUT or POST to this url with another Go program. What code do I need to write for the client to authenticate to GAE and dev_server.py? Is there a more sensible way that just mocking a web-browser and logging in? I don't need to authenticate or authorise other users, just the admin account for that app.
Is this OAuth? OAuth2? OpenID? Federated? Something else?
I realise this is a bit of an awkward question, since I'm not even sure what the right way to ask it is. However I am able to post to (in this example) /admin using a web browser after logging in with my (admin) gmail account. In that case the request (sent by Chrome) contains the cookies: __cfduid, ACSID (and what I think are Google Analytics IDs). Presumably one of those is responsible for my authentication. How do I get one of those?
And as a side question, if someone MITMs my connection (over http), can they hijack my admin session by reusing that cookie?
答案1
得分: 2
看一下goauth2。它似乎是Go的官方OAuth2库。他们在https://code.google.com/p/goauth2/source/browse/oauth/example/oauthreq.go上提供了一个相当全面的示例。
关于你的问题“我认为其中一个负责我的身份验证。我如何获得其中之一?”,他们在这里说:
> 要获取客户端ID和密钥,请参阅此页面上“API访问”选项卡下的“OAuth 2凭据”部分:https://code.google.com/apis/console/
最后,对于“如果有人通过中间人攻击我的连接(通过http),他们能否通过重用那个cookie劫持我的管理员会话?”这个问题,我的谦虚意见是您永远不应该在纯http上提供任何经过身份验证的连接(也不要在进行身份验证的连接上)。尤其是管理员部分。
编辑:为了详细说明中间人攻击的问题,请确保在任何登录请求和同一会话的后续请求中使用HTTPS,并确保在您的cookie上设置Secure和HttpOnly标志。
英文:
Have a look at goauth2 . It seems to be the canonical OAuth2 library for Go. They provide a fairly comprehensive example at https://code.google.com/p/goauth2/source/browse/oauth/example/oauthreq.go .
With regards to your question "Presumably one of those is responsible for my authentication. How do I get one of those?", they state:
> To obtain Client ID and Secret, see the "OAuth 2 Credentials" section under
the "API Access" tab on this page: https://code.google.com/apis/console/
And, finally, my humble opinion on "if someone MITMs my connection (over http), can they hijack my admin session by reusing that cookie?" is that you should never provide any authenticated connection (nor the connection that does the authentication) over plain http. Especially an admin section.
EDIT: To elaborate on the MITM question, make sure you use HTTPS for any login requests and subsequent requests for the same session, and make sure to set Secure and HttpOnly flags on your cookies.
答案2
得分: 0
如果你想使用Google账户,可以使用OAuth2。
详细信息请参见此处:https://developers.google.com/appengine/docs/go/users/overview(此部分特别涉及管理员视图)
英文:
OAuth2 if you want to use Google Accounts.
See here for details: https://developers.google.com/appengine/docs/go/users/overview (this section specifically deals with admin views)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论