There is website A, with its pool of users. There is a separate website B, which sells digital goods.
I want to allow users of website A to make a purchase from website B, without registering or visiting B.
Given that site A has an agreement with site B to pay the bill on a monthly basis, how can you authorize purchases without opening a vulnerabilit开发者_StackOverflow社区y for malicious attackers?
The first solution which come to my mind, storing a master password to authorize single user purchase, is a security nightmare, but I can't thing anything better. Any ideas?
You can use SAML (http://en.wikipedia.org/wiki/SAML) for this purpose.
Site A will have username/password and other information to authenticate end users. After authentication, site A can send users to site B and site B will call a service exposed by site A to confirm that user is indeed sent from site A.
E.g.
- user 'abc' logins on site A
- user clicks on something (on site A) to buy something from site B
- Site A generates some random and unique token for this action.
- User is sent to Site B (usually by POST on a form that points to site B). One of the form fields would be this token
- Site B calls some service on Site A to validate the token and to retrieve username for which token was generated. Service might return other things like purchase limit for this transaction.
It is VERY important that the whole communication happens over SSL. This will help mitigating Man-in-the-middle attacks.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论