Question

Im 收到网络上关于遥感技术预报认证/授权机制的混合信号,特别是移动应用。

There is OAuth 1.0, but it s claimed to be more complicated than it needs to be and doesn t support native clients too well (callback URLs are very browser-centric). On the other hand, there is one major provider that supports it (Twitter).
Then there is OAuth 2.0, which is supposed to be an improvement over 1.0, and it gets rid of client-side crypto in it default incantation (replaced with bearer tokens), but some people are of the opinion that it s broken by design, and bearer tokens are no better than cookies. An SSL certificate from a sketchy provider can trick a mobile client more easily into believing that the endpoint is a trusted authority. However two major providers (Google and Facebook) support it.
And then there are people, who advocate sidestepping the whole mess and rolling your own.

因此,情况如何?

Answer 1

这将像一个方面一样健全,但答案是“你的申请是适当的”。

第三方认证系统,如奥乌特和开放式登革系统,其位置是完善的,特别是对于使客户能够成为APIC用户而不必向另一个服务器系统收取个人全权证书的系统而言。

然而,你可能正在建立一个没有这种限制或要求的系统,要求客户简单地在服务器上开立账户可能是合理的。在此情况下,你可能通过大力使用皇家警察部队和基本奥特来简化事情。客户是否在适当的负责人中通过用户名/密码,并确保你的联系得到特别保护。或者,委托人使用其证书。

我建议你首先列举“安全”对你们的意义,并从实地开展工作。考虑各种相关方面,如诚信保障、不休、重新发挥保护作用、客户影响、业绩和抗灾能力。从中可以看出,如果你们需要的是HTTPS/basic auth,或者如果你也需要增加APIC钥匙、OAuth、开放式ID、制片等。

Answer 2

d 我建议OAuth 2,但在客户中进行额外证书检查。如果您的证书来自Verisign,那么其他协会的所有证书都是无效的。如果你不喜欢分发最新信息,则确保永远获得你相同的证书。

然而,归根结底,只有客户能够核实与服务器的连接是完全安全的。永远不会忘记这一点。