There are some applications that generate passwords for you. Consider a case where you sign in via Facebook, the application (let's call it NEWAPP) verifies your sign in on the server using FB tokens and FB verify APIs and then creates a user account for you. NEWAPP would then send over these credentials over an HTTPS(TLS) connection so that you could update NEWAPP OAuth tokens when required.
Question: Given that the server generates credentials & sends these over to the user every time they log in via FB, how is it supposed to store these credentials securely on the server side?
Constraints:
User may log in on a different device using the same FB account. The same credentials (username & password) must be handed over to the user.
User may log in through multiple devices at the same time using the same FB account.
The user themselves have no clue of the username & password for the NEWAPP service; these are sent over by the NEWAPP servers when the user logs in via FB.
Aucun commentaire:
Enregistrer un commentaire