开发者

Forced re-authorize using LinkedIn with Oath

If it possible to force a re-authorizatio开发者_JAVA百科n (I.E asking for username and password) from the LinkedIn oauth api?

Usecase: To protect sensitive data, in case someone forgets to log out, some actions on our site can only be taken after you re-verify yourself with your password (even when logged in). We allow login using LinkedIn, in which case the user does not have a separate password on our site. In this case we would like to force a re-authorization (username/password) from the LinkedIn api so that user can still confirm his identity.

The important issue here is that it cannot just accept because the user is already logged in on LinkedIn and has accepted to app, this would not provide any level of security for someone who has forgotten to log out, it has to explicity ask for authorization by password again.


There is no way to force re-asking of the OAuth username/password once the user has logged in other than to log them out of LinkedIn first.

You can see this in action by opening your LinkedIn JSAPI-enabled site and having the user 'Sign in with LinkedIn'. Once you have completed the initial OAuth sign-in/authorization, open a tab in the same browser and go to linkedin.com - you will also have been logged into the site.

In your case, if the user simply walks away from the computer leaving the browser open, they will still be logged into both of your site AND linkedin.com. Closing the browser, or logging out via the API or the linkedin.com site will solve this.

One strategy might be that any access to 'sensitive' data generates a logout, which will clear the cookies but not the app authorization, and then to instantiate the auth dialog:

IN.User.logout();
IN.UI.Authorize().place();

Details here. I've tested this and it seems to work well.


You can do a logout call when a user wishes to logout from your site, simply make them call an iframe request to https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout and return a successful signout message when that happens. Sounds dodgy (xss attack) but this is probably the only non-intrusive way of logging the user out.


Here's a small jQuery plugin that I wrote to help accomplish this.

First, add a data-hidden-iframe attribute to your standard "Sign Out" in your application.

<a href="/signout" data-hidden-iframe="https://www.linkedin.com/secure/login?session_full_logout=&amp;trk=hb_signout">Sign out</a>

Note that the data-hidden-iframe attribute value points at the LinkedIn logout URL that Ernest recommended.

Next, add this jQuery plugin to load a hidden iframe with the LinkedIn logout URL. It will wait until the iframe is fully loaded before propagating back to default click behavior.

$(document).ready ->
  $("[data-hidden-iframe]").loadhiddenIframeBeforeClick()

$.fn.loadhiddenIframeBeforeClick = ->
  this.on "click.iframe", ->
    return if $(this).data("already-iframed")
    event.preventDefault()
    event.stopPropagation()
    href = $(this).data("hidden-iframe")
    $(this).data("already-iframed", true)
    $("<iframe style='display:none;'>").attr("src", href).appendTo("body").load =>
      $(this).trigger("click")

For those that cannot read CoffeeScript, here's the equivalent JavaScript:

$(document).ready(function() {
  return $("[data-hidden-iframe]").loadhiddenIframeBeforeClick();
});

$.fn.loadhiddenIframeBeforeClick = function() {
  return this.on("click.iframe", function() {
    var href,
      _this = this;
    if ($(this).data("already-iframed")) return;
    event.preventDefault();
    event.stopPropagation();
    href = $(this).data("hidden-iframe");
    $(this).data("already-iframed", true);
    return $("<iframe style='display:none;'>").attr("src", href).appendTo("body").load(function() {
      return $(_this).trigger("click");
    });
  });
};


I know this is an old question in which I am answering.. But it can help someone to get out of this problem

There is a solution I have recently implemented just create a fake webview call with the actual logout url for linkedin that is

https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout

Just call the above url with a fake webview, incase of iOS it could be

UIWebView *webView=[[UIWebView alloc] initWithFrame:CGRectZero];
NSURLRequest *req=[NSURLRequest requestWithURL:[NSURL URLWithString:@"https://www.linkedin.com/secure/login?session_full_logout=&trk=hb_signout"]];
webView.delegate=self;
[webView loadRequest:req];

Hope it helps someone..


If you want to force the user to re-login with their Linked In credentials, then just take them through the authorization process again. However, it will have to be the entire authorization process with Linked In requesting the user to authorize your application and you storing a new OAuth token.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜