문제 설명
단일 사용자 계정에 대해 동일한 타사 애플리케이션을 여러 번 승인하는 방법은 무엇입니까? (How to handle authorizing the same third‑party application multiple times for a single user account?)
I'm working on a cloud‑storage API, authorized via OAuth. Users of third‑party applications can permit said application to access their files/data via our RESTful API.
Currently, we are limiting a third‑party app access to a users account once. E.g., the Access Token table has a UNIQUE on the consumer column and the user column. This makes sense at first glance, as the user should never be sent to our service to authorize a third‑party application twice, since the third‑party would already know their user is already tied to our service and wouldn't need to be re‑authorized.
However, what if this user has two accounts on the third‑party app, and they want said app to connect to their single account on our service twice? This seems likely, given the prevalence of multiple accounts on services such as Reddit.
Here are the possible solutions I've come up with so far, none of them being perfect:
- Display an error during the second auth request: This seems like a frustrating experience for the user, a "cop out" of sorts.
- Delete the previous token: This would likely annoy the user, as their previous accounts stop working. Even if we display a warning, it would likely be hard to explain what exactly is happening.
- Return the same access token as the first request: Each time the access is requested, a set of permissions are also passed along. The permissions for the second request could be different than the permissions for the first request. Also, not sure if this will violate the OAuth spec, as the secondly generated Request Token isn't tied to the Access Token properly.
- Allow two to be generated: This would be confusing, as when the user visits their screen full of authorized applications to revoke one, they don't know which authorization is tied to which third‑party account. We could ask for an optional third‑party
username
parameter when the Request Token is generated to identify the different auth's (we currently ask for a non‑OAuth‑standardpermission
parameter already). But, this seems like it wouldn't be used by 99% of developers and could make application development more confusing.
What is the best way to handle this situation? Is there a standardized practice for handling this use‑case?
참조 솔루션
방법 1:
I think your last case is the right way to go ‑ Allow two to be generated
When the user visits his screen full of authorized application, it's not necessary to show him one and the same Application twice ‑ you just have to delete the tokens associated with the app if the user revokes application access. That is, all his authorizations to the app with all tokens will go away with the revoke, which is fine.
(by Thomas Hunter II、luben)