Should I be using OAuth to pass data across servers, from JavaScript to C#?_问答_开发者

Should I be using OAuth to pass data across servers, from JavaScript to C#?

开发者 https://www.devze.com 2023-03-25 06:50 出处：网络

I have a requirement to pass data from JavaScript running in a private/secure environment (i.e. not public) to 开发者_运维问答an ASP.NET page on a public website. The method I\'m currently trying is t

I have a requirement to pass data from JavaScript running in a private/secure environment (i.e. not public) to 开发者_运维问答an ASP.NET page on a public website. The method I'm currently trying is this (roughly):

Javascript (inc. sha256.js):

var key = "myVeryLongAndUnguessableKey&#^@23981238#&#&!*";
var nonce = "<randomly generated value>";
var expiry = new Date().getTime();
var data_to_pass = "name1=value1&name2=value2&name3=value3";

var concatStr = key + nonce + expiry + data_to_pass;
var hashed = sha256_digest(concatStr);

var requestURL = "http://myPublicServer/myscript.aspx?" + data_to_pass + 
                 "&nonce=" + nonce + "&expiry=" + expiry + "&checksum=" + hashed;

//do redirect to requestURL

On the C# side I then take the querystring parameters, split out the nonce, expiry and checksum, add in a local value of the key, rehash it and check for a match between the checksum and new hash. If it does match, then I can take and use the 'data_to_pass' name/value pairs.

This works, and seems pretty secure.

My boss is asking that I check out OAuth and maybe use that instead, but I cannot work out if OAuth is appropriate for what I want to do.

OAuth.net defines OAuth as:

OAuth provides a method for users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.).

I'm not looking to provide access to anyone or anything, but rather to pass data in a relatively secure manner (as secure as JavaScript can be).

Am I missing something about OAuth? Could it be used for what I want to do, and if so.. any articles or examples that might help me wrap my head around it?

As always, many thanks - This community rocks!

Kevin

It looks like you are sending this request over an insecure channel and just want to get some integrity validation to make sure only you can send those requests to the public endpoint. OAuth can be pretty helpful here.

You have two options:

Use OAuth 1.0 as defined in RFC 5849 section 3 and simple use an empty access token and access token secret. The client identifier can be anything and the client secret is your key above.
Use the HTTP MAC authentication scheme which is an OAuth 2.0 companion protocol draft. The MAC protocol is better and much simpler but it requires using the HTTP Authorization endpoint and does not support using query parameters like in OAuth 1.0.

Option 2 is pretty simple (take a look at the node.js MAC module) to implement. OAuth 1.0 doesn't support SHA-256 but you can either adapt it or only use the signature base string.

The bottom line is that if you have a closed system, none of this matter very much. Pick whatever is easier. But if you expect third-party developers to work with this, then using a standard is better.

As for your code above, you should use HMAC-SHA256 not just a plain hash function, and if you are going to allow this same key to be used for more than one endpoint, you need to bind the request to the absolute URI to prevent data from one request used on another. Also, since you don't include a timestamp, checking nonces will eventually become a problem with an ever growing list.

OAuth is an authentication protocol (giving access to resources) not an transport encryption protocol.

If you want to make the transport secure, consider using SSL if you have control of the (public) server implementation.