开发者

Forced re-authorize using LinkedIn with Oath

开发者 https://www.devze.com 2023-04-12 23:24 出处:网络
If it possible to force a re-authorizatio开发者_JAVA百科n (I.E asking for username and password) from the LinkedIn oauth api?
相关专题:authorizationlinkedinoauthpasswords

If it possible to force a re-authorizatio开发者_JAVA百科n (I.E asking for username and password) from the LinkedIn oauth api?

Usecase: To protect sensitive data, in case someone forgets to log out, some actions on our site can only be taken after you re-verify yourself with your password (even when logged in). We allow login using LinkedIn, in which case the user does not have a separate password on our site. In this case we would like to force a re-authorization (username/password) from the LinkedIn api so that user can still confirm his identity.

The important issue here is that it cannot just accept because the user is already logged in on LinkedIn and has accepted to app, this would not provide any level of security for someone who has forgotten to log out, it has to explicity ask for authorization by password again.

There is no way to force re-asking of the OAuth username/password once the user has logged in other than to log them out of LinkedIn first.

You can see this in action by opening your LinkedIn JSAPI-enabled site and having the user 'Sign in with LinkedIn'. Once you have completed the initial OAuth sign-in/authorization, open a tab in the same browser and go to linkedin.com - you will also have been logged into the site.

In your case, if the user simply walks away from the computer leaving the browser open, they will still be logged into both of your site AND linkedin.com. Closing the browser, or logging out via the API or the linkedin.com site will solve this.

One strategy might be that any access to 'sensitive' data generates a logout, which will clear the cookies but not the app authorization, and then to instantiate the auth dialog:

IN.User.logout();
IN.UI.Authorize().place();

Details here. I've tested this and it seems to work well.

You can do a logout call when a user wishes to logout from your site, simply make them call an iframe request to https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout and return a successful signout message when that happens. Sounds dodgy (xss attack) but this is probably the only non-intrusive way of logging the user out.

Here's a small jQuery plugin that I wrote to help accomplish this.

First, add a data-hidden-iframe attribute to your standard "Sign Out" in your application.

<a href="/signout" data-hidden-iframe="https://www.linkedin.com/secure/login?session_full_logout=&amp;trk=hb_signout">Sign out</a>

Note that the data-hidden-iframe attribute value points at the LinkedIn logout URL that Ernest recommended.

Next, add this jQuery plugin to load a hidden iframe with the LinkedIn logout URL. It will wait until the iframe is fully loaded before propagating back to default click behavior.

$(document).ready ->
  $("[data-hidden-iframe]").loadhiddenIframeBeforeClick()

$.fn.loadhiddenIframeBeforeClick = ->
  this.on "click.iframe", ->
    return if $(this).data("already-iframed")
    event.preventDefault()
    event.stopPropagation()
    href = $(this).data("hidden-iframe")
    $(this).data("already-iframed", true)
    $("<iframe style='display:none;'>").attr("src", href).appendTo("body").load =>
      $(this).trigger("click")

For those that cannot read CoffeeScript, here's the equivalent JavaScript:

$(document).ready(function() {
  return $("[data-hidden-iframe]").loadhiddenIframeBeforeClick();
});

$.fn.loadhiddenIframeBeforeClick = function() {
  return this.on("click.iframe", function() {
    var href,
      _this = this;
    if ($(this).data("already-iframed")) return;
    event.preventDefault();
    event.stopPropagation();
    href = $(this).data("hidden-iframe");
    $(this).data("already-iframed", true);
    return $("<iframe style='display:none;'>").attr("src", href).appendTo("body").load(function() {
      return $(_this).trigger("click");
    });
  });
};

I know this is an old question in which I am answering.. But it can help someone to get out of this problem

There is a solution I have recently implemented just create a fake webview call with the actual logout url for linkedin that is

https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout

Just call the above url with a fake webview, incase of iOS it could be

UIWebView *webView=[[UIWebView alloc] initWithFrame:CGRectZero];
NSURLRequest *req=[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout"]];
webView.delegate=self;
[webView loadRequest:req];

Hope it helps someone..

If you want to force the user to re-login with their Linked In credentials, then just take them through the authorization process again. However, it will have to be the entire authorization process with Linked In requesting the user to authorize your application and you storing a new OAuth token.

0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9