diff options
Diffstat (limited to 'files/zh-cn/mozilla/persona')
10 files changed, 837 insertions, 0 deletions
diff --git a/files/zh-cn/mozilla/persona/bootstrapping_persona/index.html b/files/zh-cn/mozilla/persona/bootstrapping_persona/index.html new file mode 100644 index 0000000000..4f1c519c0a --- /dev/null +++ b/files/zh-cn/mozilla/persona/bootstrapping_persona/index.html @@ -0,0 +1,29 @@ +--- +title: Persona引导 +slug: Mozilla/Persona/Bootstrapping_Persona +translation_of: Archive/Mozilla/Persona/Bootstrapping_Persona +--- +<p>为了真正成功实现分权,Persona需要得到三方面的支持:</p> +<ul> + <li><strong>站点</strong>必须允许用户使用Persona登录。</li> + <li><strong>Web 浏览器</strong>必须实现<a href="/en/DOM/navigator.id" title="navigator.id"><code>navigator.id</code></a> APIs.</li> + <li><b>邮件供应商</b>必须是身份提供者(IdPs).</li> +</ul> +<p>This creates a chicken-and-egg problem: none of these groups would significantly benefit unless there was a critical mass of users, but a distributed system can't get a critical mass of users without support from the above groups.</p> +<p>To solve this problem, <a class="link-https" href="https://login.persona.org" rel="freelink">https://login.persona.org</a> hosts three resources:</p> +<ol> + <li>A fallback Identity Provider, which vouches for users whose email providers don't support Persona.</li> + <li>A <a href="/en-US/docs/persona/Browser_compatibility" title="/en-US/docs/persona/Browser_compatibility">cross-browser</a>, JavaScript implementation of the <code><a href="/en/DOM/navigator.id" title="navigator.id">navigator.id</a></code> APIs for browsers without native support.</li> + <li>A hosted verification API to make it easy for sites to verify user credentials.</li> +</ol> +<p>Together, this allows web sites to offer Persona to users regardless of browser and without email providers needing to get involved.</p> +<p>These services are temporary, and the Persona system is designed such that they transparently and automatically drop away as native support gets added to browsers and email providers. Thus, they will become less relevant as Persona matures, and may eventually be removed all together. At that point, <a href="https://login.persona.org" rel="freelink">https://login.persona.org</a> won't feature at all in the Persona system.</p> +<h2 id="Fallback_Identity_Provider">Fallback Identity Provider</h2> +<p>Any domain can become an Identity Provider as long as relying parties are willing to trust the certificates issued by that domain. We expect email providers to act as an IdPs for the addresses they administer, making the user experience of Persona seamless for those users. It allows the user to leverage their existing relationship with the email provider when authenticating at other sites.</p> +<p>However, email providers won't become IdPs until there is significant demand from their users. In the meantime, Mozilla operates a fallback IdP at <a href="https://login.persona.org" rel="freelink">https://login.persona.org</a>. This fallback allows users to sign into sites with their existing email address, regardless of whether or not the email provider supports Persona. The fallback IdP will certify email addresses from any domain using its own authentication flow and its own password, so long as the user is able to prove control of an address by clicking a link in a verification email.</p> +<p>Once an email provider supports Persona natively, its users will transparently begin use it instead of the fallback IdP.</p> +<h2 id="Cross-browser_API_Library">Cross-browser API Library</h2> +<p>For Persona to work, the user's browser must support the <a href="/en/DOM/navigator.id" title="navigator.id">navigator.id</a> API. Eventually, browsers will add native support for these APIs, but until then a <a href="/en-US/docs/persona/Browser_compatibility" title="/en-US/docs/persona/Browser_compatibility">cross-browser </a>implementation is available at <a href="https://login.persona.org/include.js" title="https://login.persona.org/include.js">https://login.persona.org/include.js</a>. By including this file, web sites can already begin using Persona. Once native implementations of the API are available, the library will automatically defer to those.</p> +<h2 id="Remote_verification_service">Remote verification service</h2> +<p>At <a href="https://login.persona.org" rel="freelink">https://login.persona.org</a> Mozilla hosts a <a href="/en/Persona/Remote_Verification_API" title="en/BrowserID/Remote_Verification_API">remote verification service</a> that web sites can use to verify identity assertions sent from users. This makes it simpler for web sites to support Persona as it takes care of parsing the assertion and cryptographically verifying user identities.</p> +<p>Once the Persona data formats stabilize, verification will most likely be done locally on each site's server. This transition is especially important for user privacy, since it will make it impossible for the fallback IdP to track its users. Even with remote verification, users of native IdPs can't be tracked by that IdP.</p> diff --git a/files/zh-cn/mozilla/persona/branding/index.html b/files/zh-cn/mozilla/persona/branding/index.html new file mode 100644 index 0000000000..3120f9a4c8 --- /dev/null +++ b/files/zh-cn/mozilla/persona/branding/index.html @@ -0,0 +1,79 @@ +--- +title: 品牌资源 +slug: Mozilla/Persona/branding +tags: + - 图片 + - 按钮 +translation_of: Archive/Mozilla/Persona/User_interface_guidelines +--- +<h2 id="使用_Persona_样式的按钮登陆">使用 Persona 样式的按钮登陆</h2> +<h3 id="图片样式">图片样式</h3> +<p>Persona样式的登录按钮有三个版本,三种颜色:</p> +<h4 id="英文按钮">英文按钮</h4> +<table> + <thead> + <tr> + <th scope="row"> </th> + <th scope="col">Sign in with your Email</th> + <th scope="col">Sign in with Persona</th> + <th scope="col">Sign in</th> + </tr> + </thead> + <tbody> + <tr> + <th scope="row">Black</th> + <td><img alt="" src="/files/3955/email_sign_in_black.png" style="width: 202px; height: 25px;"></td> + <td><img alt="" src="/files/3961/persona_sign_in_black.png" style="width: 185px; height: 25px;"></td> + <td><img alt="" src="/files/3967/plain_sign_in_black.png" style="width: 95px; height: 25px;"></td> + </tr> + <tr> + <th scope="row">Blue</th> + <td><img alt="" src="/files/3957/email_sign_in_blue.png" style="width: 202px; height: 25px;"></td> + <td><img alt="" src="/files/3963/persona_sign_in_blue.png" style="width: 185px; height: 25px;"></td> + <td><img alt="" src="/files/3969/plain_sign_in_blue.png" style="width: 95px; height: 25px;"></td> + </tr> + <tr> + <th scope="row">Red</th> + <td><img alt="" src="/files/3959/email_sign_in_red.png" style="width: 202px; height: 25px;"></td> + <td><img alt="" src="/files/3965/persona_sign_in_red.png" style="width: 185px; height: 25px;"></td> + <td><img alt="" src="/files/3971/plain_sign_in_red.png" style="width: 95px; height: 25px;"></td> + </tr> + </tbody> +</table> +<h4 id="中文按钮">中文按钮</h4> +<table> + <thead> + <tr> + <th scope="row"> </th> + <th scope="col">使用Email登录</th> + <th scope="col">使用Persona登录</th> + <th scope="col">登录</th> + </tr> + </thead> + <tbody> + <tr> + <th scope="row">黑色</th> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/email_sign_in_black_zh_cn.png" style="width: 151px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/persona_sign_in_black_zh_cn.png" style="width: 167px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/plain_sign_in_black_zh_cn.png" style="width: 81px; height: 25px;"></td> + </tr> + <tr> + <th scope="row">蓝色</th> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/email_sign_in_blue_zh_cn.png" style="width: 151px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/persona_sign_in_blue_zh_cn.png" style="width: 167px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/plain_sign_in_blue_zh_cn.png" style="width: 81px; height: 25px;"></td> + </tr> + <tr> + <th scope="row">红色</th> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/email_sign_in_red_zh_cn.png" style="width: 151px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/persona_sign_in_red_zh_cn.png" style="width: 167px; height: 25px;"></td> + <td><img alt="" src="http://qidye.com/wp-content/uploads/2013/05/plain_sign_in_red_zh_cn.png" style="width: 81px; height: 25px;"></td> + </tr> + </tbody> +</table> +<h4 id="中文按钮打包下载">中文按钮打包下载</h4> +<p>地址:<a href="http://qidye.com/wp-content/uploads/2013/05/persona_sign_in_zh_cn.20130513.001.by_.will_.chen_.7z">persona_sign_in_zh_cn.20130513.001.by.will.chen.7z</a></p> +<h3 id="CSS-Based">CSS-Based</h3> +<p><a href="http://sawyerhollenshead.com/" title="http://sawyerhollenshead.com/">Sawyer Hollenshead</a> 制作了一些非常优秀的 CSS-based 的按钮. <a href="/files/3973/persona-css-buttons.zip" title="/files/3973/persona-css-buttons.zip">Download (.zip)</a></p> +<p><span style="font-size: 20px;"><b>更多信息</b></span></p> +<p>你可以在 <a href="http://people.mozilla.org/~smartell/persona/" title="http://people.mozilla.org/~smartell/persona/">Sean Martell's style primer</a>找到更多关于Persona视觉效果设计的信息.</p> diff --git a/files/zh-cn/mozilla/persona/browser_compatibility/index.html b/files/zh-cn/mozilla/persona/browser_compatibility/index.html new file mode 100644 index 0000000000..e362b74b3a --- /dev/null +++ b/files/zh-cn/mozilla/persona/browser_compatibility/index.html @@ -0,0 +1,89 @@ +--- +title: 浏览器兼容性 +slug: Mozilla/Persona/Browser_compatibility +tags: + - Files +translation_of: Archive/Mozilla/Persona/Browser_compatibility +--- +<h2 id="支持的浏览器">支持的浏览器</h2> +<p>Persona 支持下列浏览器。 Persona 包含一个跨平台的 JavaScript 库,因此用户使用时不需要安装任何插件。</p> +<table> + <tbody> + <tr> + <th colspan="3" scope="row" style="text-align: center; background-color: #d3d7cf;"><strong>桌面浏览器</strong></th> + </tr> + <tr> + <th scope="row"><strong>Internet Explorer</strong></th> + <td colspan="2" rowspan="1" style="background-color: #8ae234;">8.0<sup>*</sup>, 9.0<sup>†</sup>, 10.0<sup>*</sup><sup>*</sup> (详见下方的 <a href="https://developer.mozilla.org/docs/persona/Browser_compatibility#Internet_Explorer_.22Compatibility_Mode.22">兼容模式</a> 说明)</td> + </tr> + <tr> + <th scope="row"><strong>Firefox</strong></th> + <td colspan="2" style="background-color: #8ae234;">现有稳定版本, 测试版本, Aurora, 夜间发布版本 和 扩展支持版本<br> + 以往稳定版本</td> + </tr> + <tr> + <th scope="row"><strong>Chrome</strong></th> + <td colspan="2" style="background-color: #8ae234;">最新稳定版本</td> + </tr> + <tr> + <th scope="row"><strong>Safari</strong></th> + <td colspan="2" style="background-color: #8ae234;">最新稳定版本</td> + </tr> + <tr> + <th scope="row"><strong>Opera</strong></th> + <td colspan="2" style="background-color: #8ae234;">最新稳定版本<sup>‡</sup></td> + </tr> + <tr> + <th colspan="3" scope="row" style="text-align: center; background-color: #d3d7cf;"><strong>iOS 浏览器</strong></th> + </tr> + <tr> + <th scope="row"><strong>Safari</strong></th> + <td colspan="2" rowspan="1" style="background-color: #8ae234;">iOS 5.x — 6.x</td> + </tr> + <tr> + <th colspan="3" scope="row" style="text-align: center; background-color: #d3d7cf;"><strong>Android 浏览器</strong></th> + </tr> + <tr> + <th scope="row"><b>默认浏览器</b></th> + <td colspan="2" rowspan="1" style="background-color: #8ae234;">2.2 — 4.x</td> + </tr> + <tr> + <th scope="row"><strong>Firefox</strong></th> + <td colspan="2" style="background-color: #8ae234;">现有稳定版本, 测试版本, Aurora 和 夜间发布版本<br> + 以往稳定版本</td> + </tr> + <tr> + <th scope="row"><strong>Chrome</strong></th> + <td colspan="2" style="background-color: #8ae234;">Latest Stable Release</td> + </tr> + </tbody> +</table> +<p><sup>*</sup>: Windows XP. <sup>†</sup>: Windows Vista 和 Windows 7. <sup>*</sup><sup>*</sup>Windows 8.<sup> </sup><sup>‡</sup>: 如果时间允许.</p> +<h2 id="不支持的浏览器">不支持的浏览器</h2> +<ul> + <li>Internet Explorer 6.0 和 7.0 不被支持。 Persona 会提醒用户升级浏览器。 另见 <a href="https://developer.mozilla.org/docs/persona/Browser_compatibility#Internet_Explorer_.22Compatibility_Mode.22" title="IE 兼容模式">IE “兼容模式</a>”。</li> + <li>Google Chrome Frame 不被支持且无法使用。 以后可能会加入对其支持 (<a href="https://github.com/mozilla/browserid/issues/796" title="https://github.com/mozilla/browserid/issues/796">Issue #796</a>)。</li> + <li>iOS 上的第三方浏览器不被支持且无法使用。 以后可能会加入对其支持 (<a href="https://github.com/mozilla/browserid/issues/2034" title="https://github.com/mozilla/browserid/issues/2034">Issue #2034</a>)。</li> +</ul> +<h2 id="Internet_Explorer_的“兼容模式”">Internet Explorer 的“兼容模式”</h2> +<p>从 8.0 版开始, Internet Explorer 提供了一项名为“兼容模式”的功能, 其在渲染页面时会模拟 8.0 以前版本的行为。 这个特性可以通过三种方法控制:</p> +<ol> + <li>浏览器中的本地设置</li> + <li>页面中的 <a href="https://developer.mozilla.org/docs/Quirks_Mode_and_Standards_Mode" title="https://developer.mozilla.org/docs/Quirks_Mode_and_Standards_Mode">DOCTYPE</a> 声明</li> + <li>网站在 HTTP 头或页面 <a href="https://developer.mozilla.org/docs/HTML/Element/meta" style="text-decoration: underline; font-family: 'Courier New', 'Andale Mono', monospace;" title="https://developer.mozilla.org/docs/HTML/Element/meta"><meta></a> 标签中使用 <a href="http://msdn.microsoft.com/library/cc288325%28v=vs.85%29.aspx" title="http://msdn.microsoft.com/library/cc288325%28v=vs.85%29.aspx">"X-UA-Compatible"</a>。 此方法会覆盖前两种</li> +</ol> +<p>由于 Persona 不支持 Internet Explorer 8.0 以前版本, 任何 Internet Explorer 如果模拟了8.0 以前版本也将不能支持 Persona 。 这通常是由于:</p> +<ul> + <li>你的网站使用 "X-UA-Compatible" 显式指定浏览器模拟 8.0 以前版本</li> + <li>你的网站未设置 DOCTYPE ,未将 DOCTYPE 置于页面首行, 或者浏览器被设置为 quirks 模式而你的网站未将 "X-UA-Compatible" 设置为 IE 8.0 或更高版本</li> + <li>浏览器被用户设置为使用 模拟 8.0 以前版本的 “兼容模式”, 而你的网站没有使用 "X-UA-Compatible" 覆盖这个设置</li> + <li>译注:总之,为了让 IE 8.0 及以上能正常运行 Persona ,你应该加入 "X-UA-Compatible" 头部</li> +</ul> +<p>详情请见 <a href="https://blogs.msdn.com/b/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx?Redirected=true" title="https://blogs.msdn.com/b/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx?Redirected=true">"Understanding Compatibility Modes in Internet Explorer 8"</a> 和 <a href="http://hsivonen.iki.fi/doctype/index.html#ie8" title="http://hsivonen.iki.fi/doctype/index.html#ie8">"IE8 and IE9 Complications"</a>.</p> +<h2 id="其他浏览器">其他浏览器</h2> +<p>除非明显不被支持, 任何同时支持 {{ domxref("window.postMessage()") }} 和 {{ domxref("Storage", "localStorage") }} 的浏览器都应该能使 Persona 正常运行。 2010年3月后所有主流浏览器都支持这些 API 。</p> +<h2 id="已知问题">已知问题</h2> +<ul> + <li>浏览器需要允许第三方 Cookies 以保证功能完整 (<a href="https://github.com/mozilla/browserid/issues/1352" title="https://github.com/mozilla/browserid/issues/1352">Issue #1352</a>)。</li> + <li>Android 2.x 上,如果用户没有选择默认浏览器,他们将无法登录 (<a href="https://github.com/mozilla/browserid/issues/1854" title="https://github.com/mozilla/browserid/issues/1854">Issue #1854</a>)。</li> +</ul> diff --git a/files/zh-cn/mozilla/persona/glossary/index.html b/files/zh-cn/mozilla/persona/glossary/index.html new file mode 100644 index 0000000000..430bacbabe --- /dev/null +++ b/files/zh-cn/mozilla/persona/glossary/index.html @@ -0,0 +1,61 @@ +--- +title: 术语表 +slug: Mozilla/Persona/Glossary +translation_of: Archive/Mozilla/Persona/Glossary +--- +<h2 id="Persona_和_BrowserID">"Persona" 和 "BrowserID"</h2> +<p>Persona 是 Mozilla 的全新分布式登录系统的完整实现。</p> +<p>BrowserID 是 Persona 基于的开放协议。</p> +<h2 id="常用_Persona_术语"><span style="font-size: 2.142857142857143rem;">常用 </span>Persona 术语</h2> +<dl> + <dt> + BrowserID</dt> + <dd> + 一种基于电子邮件地址的,开放、去中心化的用户认证协议。</dd> + <dt> + 身份凭证提供者 ("IdP")</dt> + <dd> + 为其用户签发身份凭证的服务。</dd> + <dd> + 邮件服务提供商可以通过在其服务中增加 BrowserID 支持成为身份凭证提供者。 Mozilla 为不支持 Persona 的邮件<span style="line-height: 1.5;">服务</span><span style="line-height: 1.5;">提供商提供了身份凭证服务, 其位于 </span><a class="link-https" href="https://login.persona.org" style="line-height: 1.5;" title="https://login.persona.org">login.persona.org</a><span style="line-height: 1.5;">.</span></dd> + <dt> + login.persona.org</dt> + <dd> + 由 Mozilla Identity 团队运行的备用身份凭证服务。</dd> + <dt> + Persona</dt> + <dd> + Mozilla 对用户公布的整套认证服务的名称,这套服务包括由 Mozilla Identity 团队运行的备用身份凭证服务。 最终用户应该不需要知道 "BrowserID" 这个术语。</dd> + <dd> + Persona 可能逐渐包含 BrowserID 协议之外的功能,如 Firefox Sync 的部分功能,或者 Open Web Apps 的控制面板。</dd> + <dt> + Relying Party ("RP")</dt> + <dd> + 允许用户通过 Persona 登录的任何网站,应用或服务。</dd> +</dl> +<h2 id="项目代号">项目代号</h2> +<dl> + <dt> + BigTent</dt> + <dd> + 三个身份凭证服务的集合,分别针对 Hotmail,Gmail 和 Yahoo Mail 的用户。 BigTent 通过OpenID 或 OAuth 等方式连接各个邮件<span style="line-height: 1.5;">服务</span><span style="line-height: 1.5;">提供商。 源码位于 </span><a href="https://github.com/mozilla/browserid-bigtent" style="line-height: 1.5;" title="https://github.com/mozilla/browserid-bigtent">https://github.com/mozilla/browserid-bigtent</a><span style="line-height: 1.5;"> 。</span></dd> + <dt> + Vinz Clortho</dt> + <dd> + <code>电子邮件后缀为 @mozilla.com</code> 和 <code>@mozilla.org</code> 的身份凭证服务。 通过 LDAP 运行。 源码位于 <a href="https://github.com/mozilla/vinz-clortho" title="https://github.com/mozilla/browserid-bigtent">https://github.com/mozilla/vinz-clortho</a> 。 项目名称向1984年的电影《捉鬼敢死队》致敬。</dd> +</dl> +<h2 id="不常用_Persona_术语">不常用 Persona 术语</h2> +<dl> + <dt> + 一级认证机构 ("Primary")</dt> + <dd> + 弃用术语, 指能同时作为身份认证提供者的邮件服务提供商。</dd> + <dt> + 二级认证机构 ("Secondary)</dt> + <dd> + 弃用术语,指为其邮件服务提供商不支持 Persona 的用户提供备用身份认证服务的身份认证提供者。<span style="line-height: 1.5;">Mozilla 在 </span><a class="link-https" href="https://login.persona.org" style="line-height: 1.5;" title="https://login.persona.org">login.persona.org</a> 运行了一个备用身份认证服务。</dd> + <dt> + Verified Email Protocol</dt> + <dd> + BrowserID 协议的旧称。</dd> +</dl> diff --git a/files/zh-cn/mozilla/persona/index.html b/files/zh-cn/mozilla/persona/index.html new file mode 100644 index 0000000000..5c19bec83a --- /dev/null +++ b/files/zh-cn/mozilla/persona/index.html @@ -0,0 +1,138 @@ +--- +title: Mozilla Persona +slug: Mozilla/Persona +tags: + - Mozilla + - Persona + - zh-CN +translation_of: Archive/Mozilla/Persona +--- +<div class="callout-box"> +<p><strong>保持联系或获取帮助!</strong></p> + +<p>关注 <a class="external" href="http://identity.mozilla.com/" title="http://identity.mozilla.com/">我们的 blog</a>,加入 <a class="link-https" href="https://lists.mozilla.org/listinfo/dev-identity" title="https://lists.mozilla.org/listinfo/dev-identity">我们的邮件列表</a>,或在 <a class="link-https" href="https://wiki.mozilla.org/IRC" title="https://wiki.mozilla.org/IRC">IRC</a> 中的 <a class="link-irc" href="irc://irc.mozilla.org/identity" title="irc://irc.mozilla.org/identity">#identity</a> 找到我们。</p> +</div> + +<blockquote> +<p>提示:Mozilla将在2016年11月关闭Persona.org</p> + +<p>邮件列表:<a href="https://mail.mozilla.org/pipermail/persona-notices/2016/000005.html">https://mail.mozilla.org/pipermail/persona-notices/2016/000005.html</a></p> +</blockquote> + +<p><a class="link-https" href="https://www.mozilla.org/zh-CN/persona/" title="https://www.mozilla.org/zh-CN/persona/">Mozilla Persona</a> 是一个用于 web 的完全去中心化且安全的验证系统,基于开放 BrowserID 协议。Mozilla 当前管理一个 Persona 相关的一个<a href="/zh-CN/docs/Persona/Bootstrapping_Persona" title="/zh-CN/docs/Persona/Bootstrapping_Persona">可选的、中心化服务</a>的一小组套件。</p> + +<p>为什么你和你的站点应该使用 Persona?</p> + +<ol> + <li><strong>Persona 完全消除了站点特定的密码,</strong> 把用户和网站从创建、管理和安全存放密码的责任中解放出来。</li> + <li><strong>Persona 易于使用。</strong>只需点击两次,一个 Persona 用户可以登入到一个诸如 <a href="http://voo.st" title="http://voo.st">Voost</a> 或 <a href="http://crossword.thetimes.co.uk/" title="http://crossword.thetimes.co.uk/">The Times Crossword</a> 的新站点,绕开了账户创建相关的摩擦。</li> + <li><strong>Persona 易于实现。</strong>开发人员在一个下午就可以把 Persona 添加到站点上。</li> + <li>最好的是,<strong>不会被锁定</strong>。 开发人员获取所有他们用户的验证过的邮件地址,而用户可以在 Persona 上使用任何邮件地址。</li> + <li><strong>Persona 基于 BrowserID 协议构建。</strong>一旦流行的浏览器供应商实现了 BrowserID<strong>,它们不再需要依赖于 Mozilla 来登入。</strong></li> +</ol> + +<p>继续阅读来开始!</p> + +<div class="note"><strong>注意:</strong>Persona 在活跃开发中。关注<a class="external" href="http://identity.mozilla.com/" title="http://identity.mozilla.com/">我们的 blog</a> 来了解新特性,或加入<a class="link-https" href="https://lists.mozilla.org/listinfo/dev-identity" title="https://lists.mozilla.org/listinfo/dev-identity">我们的邮件列表</a>来提供反馈!</div> + +<h2 id="在你的站点上使用_Persona">在你的站点上使用 Persona</h2> + +<table class="topicpage-table"> + <tbody> + <tr> + <td> + <h3 id="准备开始">准备开始</h3> + + <dl> + <dt><a href="/zh-CN/docs/Persona/Why_Persona" title="zh-CN/BrowserID/Why_BrowserID">为什么使用 Persona?</a></dt> + <dd>了解在你的站点上支持 Persona 的原因和它与其它身份验证系统的区别。</dd> + <dt><a href="/zh-CN/Persona/Quick_Setup" title="BrowserID/Quick setup">快速安装</a></dt> + <dd>一份快捷的攻略,展示了如何向你的网站中添加 Persona。</dd> + </dl> + </td> + <td> + <h3 id="Persona_API_参考">Persona API 参考</h3> + + <dl> + <dt><a href="/zh-CN/DOM/navigator.id" title="navigator.id">navigator.id API 参考</a></dt> + <dd><code>navigator.id</code> 对象的参考,web 开发者可以用此来把 Persona 继承到站点中。</dd> + <dt><a href="/zh-CN/Persona/Remote_Verification_API" title="zh-CN/BrowserID/Remote_Verification_API">验证 API 参考</a></dt> + <dd>建立在 <code>https://verifier.login.persona.org/verify</code> 上的远程验证 API 的参考。</dd> + </dl> + </td> + </tr> + <tr> + <td> + <h3 id="指导">指导</h3> + + <dl> + <dt><a href="/zh-CN/Persona/Security_Considerations" title="BrowserID/Security considerations">安全考虑</a></dt> + <dd>确保 Persona 部署安全的实践和技术。</dd> + <dt><a href="/zh-CN/Persona/Browser_compatibility" title="/Browser_compatibility">浏览器兼容性</a></dt> + <dd>准确获知哪些浏览器支持 Persona。</dd> + <dt><a href="/zh-CN/Persona/Internationalization" title="/Internationalization">国际化</a></dt> + <dd>了解 Persona 如何处理不同的语言。</dd> + </dl> + </td> + <td> + <h3 id="资源">资源</h3> + + <dl> + <dt><a class="link-https" href="https://github.com/mozilla/browserid/wiki/Persona-Libraries" title="https://github.com/mozilla/browserid/wiki/BrowserID-Libraries">库和插件</a></dt> + <dd>寻找你偏好的编程语言、web 框架、博客或是内容管理系统(CMS)的即插库。</dd> + <dt><a class="link-https" href="https://github.com/mozilla/browserid-cookbook" title="https://github.com/mozilla/browserid-cookbook">Persona cookbook</a></dt> + <dd>Persona 站点的示例源代码。包括 PHP、Node.JS 等等的片段。</dd> + <dt><a href="/zh-CN/docs/persona/branding" title="/zh-CN/docs/persona/branding">品牌资源</a></dt> + <dd>登入按钮和其它向用户表现 Persona 的图形。</dd> + </dl> + </td> + </tr> + </tbody> +</table> + +<p> </p> + +<table class="topicpage-table"> + <tbody> + <tr> + <td> + <h2 id="给身份提供者的信息">给身份提供者的信息</h2> + + <p>如果你是一个电子邮件提供商或另一个身份提供服务,翻阅下面的链接来获知如何成为一个 Persona 身份提供者。</p> + + <dl> + <dt><a href="/zh-CN/docs/Persona/Identity_Provider_Overview" title="IdP">IdP 概述</a></dt> + <dd>Persona 身份提供者的高层视角。</dd> + <dt><a href="/zh-CN/Persona/Implementing_a_Persona_IdP" title="Guide to Implementing a Persona IdP">实现一个 IdP</a></dt> + <dd>成为一个 IdP 的详细技术细节指导。</dd> + <dt><a href="/zh-CN/Persona/IdP_Development_tips" title="Developer tips">开发提示</a></dt> + <dd>开发一个新的身份提供者的一系列开发提示和技巧。</dd> + <dt><a href="/zh-CN/docs/Persona/.well-known-browserid" title="https://developer.mozilla.org/zh-CN/docs/Persona/.well-known-browserid">.well-known/browserid</a></dt> + <dd><code>.well-known/browserid</code> 文件的结构和用途概述,这个文件被 IdPs 用于通知它们支持这个协议。</dd> + </dl> + </td> + <td> + <h2 id="Persona_项目">Persona 项目</h2> + + <dl> + <dt><a href="/zh-CN/Persona/Glossary" title="navigator.id">术语表</a></dt> + <dd>BrowserID 和 Persona 定义的术语。</dd> + <dt><a href="/zh-CN/Persona/FAQ" title="zh-CN/BrowserID/FAQ">FAQ</a></dt> + <dd>常见问题的回答。</dd> + <dt><a href="/zh-CN/Persona/Protocol_Overview" title="BrowserID/Protocol overview">协议概述</a></dt> + <dd>底层 BrowserID 协议的中等技术概述。</dd> + <dt><a href="/zh-CN/persona/Crypto" title="MDN">加密</a></dt> + <dd>一瞥 Persona 和 BrowserID 背后的密码学概念。</dd> + <dt><a class="link-https" href="https://github.com/mozilla/id-specs/blob/master/browserid/index.md" title="https://github.com/mozilla/id-specs/blob/master/browserid/index.md">协议规范</a></dt> + <dd>这里是深层技术细节。</dd> + <dt><a href="/Persona/Bootstrapping_Persona" title="zh-CN/BrowserID/Bootstrapping_BrowserID">Persona 网站</a></dt> + <dd>要让 Persona 运作, 我们在<a class="link-https" href="https://login.persona.org" rel="freelink">https://login.persona.org</a> 建立了三个服务:一个备用身份提供者、一个可迁移的 {{ domxref("navigator.id") }} API 实现以及一个身份断言验证服务。</dd> + <dt><a href="https://github.com/mozilla/browserid">Persona 源码</a></dt> + <dd>Persona 网站背后的源码托管在 GitHub 的一个仓库上。欢迎提交补丁!</dd> + </dl> + </td> + </tr> + </tbody> +</table> + +<p> </p> diff --git a/files/zh-cn/mozilla/persona/protocol_overview/index.html b/files/zh-cn/mozilla/persona/protocol_overview/index.html new file mode 100644 index 0000000000..9e61fb2b95 --- /dev/null +++ b/files/zh-cn/mozilla/persona/protocol_overview/index.html @@ -0,0 +1,96 @@ +--- +title: 协议概述 +slug: Mozilla/Persona/Protocol_Overview +tags: + - Persona +translation_of: Archive/Mozilla/Persona/Protocol_Overview +--- +<p>Persona is built on the BrowserID protocol. This page describes the BrowserID protocol at a high level.</p> + +<h2 id="角色">角色</h2> + +<p>The protocol involves three actors:</p> + +<ul> + <li><strong>Users:</strong> The actual people that want to sign into websites using Persona.</li> + <li><strong>Relying Parties (RPs): </strong>Websites that want to let users sign in using Persona.</li> + <li><strong>Identity Providers (IdPs): </strong>Domains that can issue Persona-compatible identity certificates to their users.</li> +</ul> + +<p>Persona and the BrowserID protocol use email addresses as identities, so it's natural for email providers to become IdPs.</p> + +<p>Mozilla operates a fallback IdP so that users can use any email address with Persona, even one with a specific domain that isn't an IdP itself.</p> + +<h2 id="协议步骤">协议步骤</h2> + +<p>There are three distinct steps in the protocol:</p> + +<ol> + <li>User Certificate Provisioning</li> + <li>Assertion Generation</li> + <li>Assertion Verification</li> +</ol> + +<p>As a prerequisite, the user should have an active identity (email address) that they wish to use when logging in to websites. The protocol does not require that IdP-backed identities are SMTP-routable, but it does require that identities follow the <code>user@domain</code> format.</p> + +<h3 id="用户认证过程">用户认证过程</h3> + +<p>In order to sign into an RP, a user must be able to prove ownership of their preferred email address. The foundation of this proof is a cryptographically signed certificate from an IdP certifying the connection between a browser's user and a given identity within the IdP's domain.</p> + +<p>Because Persona uses standard <a href="http://en.wikipedia.org/wiki/Public-key_cryptography" title="http://en.wikipedia.org/wiki/Public-key_cryptography">public key cryptography</a> techniques, the user certificate is signed by the IdP's private key and contains:</p> + +<ul> + <li>The user's email address.</li> + <li>The user's public key for that address on that browser.</li> + <li>The time that the certificate was issued.</li> + <li>The time that the certificate expires.</li> + <li>The IdP's domain name.</li> +</ul> + +<p>The user's browser generates a different keypair for each of the user's email addresses, and these keypairs are not shared across browsers. Thus, a user must obtain a fresh certificate whenever one expires, or whenever using a new browser or computer. Certificates must expire within 24 hours of being issued.</p> + +<p>When a user selects an identity to use when signing into an RP, the browser checks to see if it has a fresh user certificate for that address. If it does, this step is complete and the browser continues with the assertion generation step below. If the browser does not have a fresh certificate, it attempts to obtain one from the domain associated with the chosen identity.</p> + +<ol> + <li>The browser fetches the <a href="/en-US/docs/Persona/.well-known-browserid" title="/en-US/docs/Persona/.well-known-browserid">/.well-known/browserid</a> support document over SSL from the identity's domain.</li> + <li>Using information from the support document, the browser passes the user's email address and associated public key to the IdP and requests a signed certificate.</li> + <li>If necessary, the user is asked to sign into the IdP before provisioning proceeds.</li> + <li>The IdP creates, signs, and gives a user certificate to the user's browser.</li> +</ol> + +<p>With the certificate in hand, the browser can continue with generating an identity assertion and signing into an RP.</p> + +<p><img alt="user-certificate-provisioning.png" class="internal default" src="/@api/deki/files/6043/=user-certificate-provisioning.png"></p> + +<h3 id="生成断言">生成断言</h3> + +<p>The user certificate establishes a verifiable link between an email address and a public key. However, this is alone not enough to log into a website: the user still has to show their connection to the certificate by proving ownership of the private key.</p> + +<p>In order to prove ownership of a private key, the user's browser creates and signs a new document called an "identity assertion." It contains:</p> + +<ul> + <li>The origin (scheme, domain, and port) of the RP that the user wants to sign into.</li> + <li>An expiration time for the assertion, generally less than five minutes after it was created.</li> +</ul> + +<p>The browser then presents both the user certificate and the identity assertion to the RP for verification.</p> + +<h3 id="验证断言">验证断言</h3> + +<p>The combination of user certificate and identity assertion is sufficient to confirm a user's identity.</p> + +<p>First, the RP checks the domain and expiration time in the assertion. If the assertion is expired or intended for a different domain, it's rejected. This prevents malicious re-use of assertions.</p> + +<p>Second, the RP validates the signature on the assertion with the public key inside the user certificate. If the key and signature match, the RP is assured that the current user really does possess the key associated with the certificate.</p> + +<p>Last, the RP fetches the IdP's public key from its <a href="/en-US/docs/Persona/.well-known-browserid" title="/en-US/docs/Persona/.well-known-browserid">/.well-known/browserid</a> document and verifies that it matches the signature on the user certificate. If it does, then the RP can be certain that the certificate really was issued by the domain in question.</p> + +<p>Once verifying that this is a current login attempt for the proper RP, that the user certificate matches the current user, and that the user certificate is legitimate, the RP is done and can authenticate the user as the identity contained in the certificate.</p> + +<p><img alt="assertion-generation-and-verify.png" class="internal default" src="/@api/deki/files/6042/=assertion-generation-and-verify.png"></p> + +<h2 id="The_Persona_Fallback_IdP">The Persona Fallback IdP</h2> + +<p>What if a user's email provider doesn't support Persona? In that case, the provisioning step would fail. By convention, the user's browser handles this by asking a trusted third party, <a href="https://login.persona.org/" title="https://login.persona.org/">https://login.persona.org/</a>, to certify the user's identity on behalf of the unsupported domain. After demonstrating ownership of the address, the user would then receive a certificate issued by the fallback IdP, <code>login.persona.org</code>, rather than the identity's domain.</p> + +<p>RPs follow a similar process when validating the assertion: the RP would ultimately request the fallback IdP's public key in order to verify the certificate.</p> diff --git a/files/zh-cn/mozilla/persona/quick_setup/index.html b/files/zh-cn/mozilla/persona/quick_setup/index.html new file mode 100644 index 0000000000..e39958eb98 --- /dev/null +++ b/files/zh-cn/mozilla/persona/quick_setup/index.html @@ -0,0 +1,140 @@ +--- +title: 快速安装 +slug: Mozilla/Persona/Quick_Setup +tags: + - Mozilla + - Persona +translation_of: Archive/Mozilla/Persona/Quick_Setup +--- +<p>要把 Persona 登录系统添加到你的站点只需要 5 步:</p> +<ol> + <li>在你的页面中包含 Persona 的 JavaScript 库。</li> + <li>添加“登入”和“登出”按钮。</li> + <li>监视登入和登出行为。</li> + <li>验证用户证书。</li> + <li>回顾最佳实现。</li> +</ol> +<p>你应该能在一个下午就建立好并运行,但重要的是:如果你要在你的站点上使用 Persona,请花一点时间订阅 <a href="https://mail.mozilla.org/listinfo/persona-notices">Persona 通知</a> 邮件列表。它流量非常低,只用于通知那些对你站点有负面影响的变更或安全问题。</p> +<h2 id="步骤1:包含_Persona_库">步骤1:包含 Persona 库</h2> +<p>Persona 被设计为跨浏览器且可在<a href="https://developer.mozilla.org/docs/persona/Browser_compatibility">全部主要桌面和移动浏览器</a>中工作。</p> +<p>在未来我们期望浏览器提供 Persona 的原生支持,但我们同时提供了一个 JavaScript 库完整地实现了用户界面和客户端部分的协议。通过包含这个库,你的用户会可以用 Persona 登入,无论他们的浏览器是否有原生支持。</p> +<p>一 旦页面中的这个库加载完毕,你需要的 Persona 函数({{ domxref("navigator.id.watch()", "watch()") }}、{{ domxref("navigator.id.request()", "request()") }} 和 {{ domxref("navigator.id.logout()", "logout()") }})会在全局对象 <code>navigator.id</code> 中可用。</p> +<p>要包含 Persona JavaScript 库,你可以把这个 <code>script</code> 标签放进你页面的首部:</p> +<pre class="brush: html;"><script src="https://login.persona.org/include.js"></script> +</pre> +<p>你<strong>必须</strong>在每个使用 {{ domxref("navigator.id") }} 中函数的页面里包含这个标签。因为 Persona 始终在开发中,你不应该自行托管 <code>include.js</code> 文件。</p> +<h2 id="步骤2:添加登入登出按钮">步骤2:添加登入/登出按钮</h2> +<p>因 为 Persona 被设计为一个 DOM API,你必须在用户点击你站点上的登入或登出按钮时调用函数。要打开 Persona 对话框并提示用户登入,你应该调用 {{ domxref("navigator.id.request()") }} 。而登出要调用 {{ domxref("navigator.id.logout()") }} 。</p> +<p>例如:</p> +<pre class="brush: js;">var signinLink = document.getElementById('signin'); +if (signinLink) { + signinLink.onclick = function() { navigator.id.request(); }; +}; + +var signoutLink = document.getElementById('signout'); +if (signoutLink) { + signoutLink.onclick = function() { navigator.id.logout(); }; +}; +</pre> +<p>那些按钮的是什么样子的?查看我们的<a href="https://developer.mozilla.org/docs/persona/branding">品牌资源</a>页面中的预制图片和基于 CSS 的按钮!</p> +<h2 id="步骤3:监视登入登出行为">步骤3:监视登入/登出行为</h2> +<p>要把 Persona 封装成函数,你需要告诉它当用户登入/登出时做什么。调用 {{ domxref("navigator.id.watch()") }} 函数就可以实现,它支持三个参数:</p> +<ol> + <li> + <p>你站点当前用户的 <code>loggedInEmail</code> ,如果没有则为 <code>null</code> 。你应该在渲染页面的时候动态生成它。</p> + </li> + <li> + <p>当触发 <code>onlogin</code> 行为的时候调用的函数。这个函数会被传递一个必须认证的“身份断言”参数。</p> + </li> + <li> + <p>当触发 <code>onlogout</code> 行为的时候调用的函数。这个函数不会被传递任何参数。</p> + </li> +</ol> +<div class="note style-wrap"> + <p><strong>注意:</strong>你必须总是在调用 {{ domxref("navigator.id.watch()") }} 时同时包含 <code>onlogin</code> 和 <code>onlogout</code> 。</p> +</div> +<p>例如,如果你现在认为鲍勃已经登入到你的站点,你会这样做:</p> +<pre class="brush: js;">var currentUser = 'bob@example.com'; + +navigator.id.watch({ + loggedInUser: currentUser, + onlogin: function(assertion) { + // 一个用户已经登入!这是你需要做的: + // 1. 把断言发送到后端验证并创建一个会话。 + // 2. 更新你的 UI。 + $.ajax({ /* <-- 本例使用了 jQuery,但你也可以用你想用的 */ + type: 'POST', + url: '/auth/login', // 这是你网站上的一个 URL + data: {assertion: assertion}, + success: function(res, status, xhr) { window.location.reload(); }, + error: function(res, status, xhr) { alert("登入失败" + res); } + }); + }, + onlogout: function() { + // 一个用户已经登出!这是你需要做的: + // 销毁用户的会话并重定向用户或做后端的调用。 + // 同样,让 loggedInUser 在下个页面加载时变为 null。 + // (这是一个字面的 JavaScript null。不是 false、 0 或 undefined。null。) + $.ajax({ + type: 'POST', + url: '/auth/logout', // 这是你网站上的一个 URL + success: function(res, status, xhr) { window.location.reload(); }, + error: function(res, status, xhr) { alert("登出失败" + res); } + }); + } +}); +</pre> +<p>在本例中,<code>onlogin</code> 和 <code>onlogout</code> 都通过向你站点的后端发送异步 <code>POST</code> 请求来实现。后端随后通常用设定或删除会话 cookie 中的信息来登入或登出用户。之后,如果一切都核对无误,页面重加载来考虑账户的新登录状态。</p> +<p>你当然可以用 AJAX 来不用重加载或重定向来实现,但这超出了本教程的范畴。</p> +<p>你<strong>必须</strong>在每个有登入/登出按钮的页面上调用这个函数。要为用户支持 Persona 加强功能,诸如自动登录和全局登出,你<strong>应该</strong>在网站上的每个页面都调用这个函数。</p> +<h2 id="步骤4:验证用户证书">步骤4:验证用户证书</h2> +<p>Persona 用“身份断言”来代替密码,那是一种类似一次性、单站点的、用户邮件地址捆绑的密码。当用户想要登入时,你的 <code>onlogin</code> 回调会传入一个该用户的断言来调用。在你登入他们前,你必须验证断言的有效性。</p> +<p>在你的服务器上而不是用户浏览器上运行的 JavaScript 中验证断言是<em>极度</em>重要的,因为那很容易伪造。上面的例子用 jQuery 的 <code>$.ajax()</code> 辅助函数来把断言通过 <code>POST</code> 到 <code>/auth/login</code> 来呈递给后端。</p> +<p>一旦你的服务器获得了断言,你如何验证它?最简单的方法是用 Mozilla 提供的辅助服务。简单地把断言以两个参数 <code>POST</code> 给 <code>https://verifier.login.persona.org/verify</code>:</p> +<ol> + <li><code>assertion</code>: 用户提供的身份断言。</li> + <li><code>audience</code>: 你网站的主机名和端口。你必须在后端硬编码这个值;不要从用户提供的任何数据中派生这个值。</li> +</ol> +<p>例如,如果你是 <code>example.com</code>,你可以用下面的命令行来测试断言:</p> +<pre class="brush: bash;">$ curl -d "assertion=<ASSERTION>&audience=https://example.com:443" "https://verifier.login.persona.org/verify" +</pre> +<p>如果它是有效的,你会得到像这样的一个 JSON 响应:</p> +<pre class="brush: js;">{ + "status": "okay", + "email": "bob@eyedee.me", + "audience": "https://example.com:443", + "expires": 1308859352261, + "issuer": "eyedee.me" +} +</pre> +<p>你可以阅读<a href="https://developer.mozilla.org/en-US/docs/BrowserID/Remote_Verification_API">验证服务 API</a>来获知更多关于验证服务的内容。一个 <code>/api/login</code> 实现的使用了 <a href="http://python.org/">Python</a>、<a href="http://flask.pocoo.org/">Flask</a> web 框架和 <a href="http://python-requests.org">Requests</a> HTTP 库的例子看起来是这样:</p> +<pre class="brush: python;">@app.route('/auth/login', methods=['POST']) +def login(): + # 请求必须包含我们要验证的断言 + if 'assertion' not in request.form: + abort(400) + + # 把断言发送给 Mozilla 的验证服务 + data = {'assertion': request.form['assertion'], 'audience': 'https://example.com:443'} + resp = requests.post('https://verifier.login.persona.org/verify', data=data, verify=True) + + # 验证器响应了吗? + if resp.ok: + # 处理响应 + verification_data = json.loads(resp.content) + + # 检查断言是否有效 + if verification_data['status'] == 'okay': + # 设置一个安全会话 cookie 来登入用户 + session.update({'email': verification_data['email']}) + return resp.content + + # 哎哟,有什么东西不对,放弃 + abort(500) +</pre> +<p>会话管理可能很像你现有的登录系统。首先的大区别是在验证用户身份采用了检查断言而不是检查密码。另一个不同是确保用户的邮件地址有效来用于 {{ domxref("navigator.id.watch()") }} 的 <code>loggedInEmail</code> 参数</p> +<p>登出很简单:你只需要移除用户的会话 cookie。</p> +<h2 id="步骤5:回顾最佳实践">步骤5:回顾最佳实践</h2> +<p>一旦所有的东西都工作正常并且你已经成功登入和登出你的站点,你应该花一会时间来回顾安全可靠地使用 Persona 的<a href="https://developer.mozilla.org/docs/BrowserID/Security_Considerations">最佳实践</a>。</p> +<p>如果你在做一个要作为生产环境的站点,你会想要编写集成的测试来模拟用 Persona 登入或登出用户。要改善 Selenium 中的这个行为,请考虑使用 <a href="https://github.com/mozilla/bidpom" title="https://github.com/mozilla/bidpom">bidpom</a> 库。<a href="https://mockmyid.com/" title="https://mockmyid.com/">mockmyid.com</a> 和 <a href="http://personatestuser.org" title="http://personatestuser.org">personatestuser.org</a> 这两个网站也可能会有用。</p> +<p>最后,不要忘记登记加入 <a href="https://mail.mozilla.org/listinfo/persona-notices">Persona 通知</a> 邮件列表,这样会通知你任何安全问题或 Persona API 的向后兼容变更。这个列表的流量非常低:它只用于通知会对你的站点造成负面影响的变更。</p> diff --git a/files/zh-cn/mozilla/persona/remote_verification_api/index.html b/files/zh-cn/mozilla/persona/remote_verification_api/index.html new file mode 100644 index 0000000000..55f37e793e --- /dev/null +++ b/files/zh-cn/mozilla/persona/remote_verification_api/index.html @@ -0,0 +1,120 @@ +--- +title: 远程验证 API +slug: Mozilla/Persona/Remote_Verification_API +translation_of: Archive/Mozilla/Persona/Remote_Verification_API +--- +<h3 id="Summary" name="Summary">概述</h3> +<p>当用户试图登入一个网站,他们的浏览器会生成一个名为<em>断言</em>的数据结构,这实质上是一个加密签名的邮件地址。浏览器把这个断言发送给网站,网站必须在登入用户前检验断言是否有效。</p> +<p>断言可以本地验证,或使用托管在 <span class="link-https"><code>https://verifier.login.persona.org/verify</code></span> 的 API。本页面描述如何使用这个 API。</p> +<h3 id="Methods" name="Methods">方法</h3> +<p>把 HTTP POST 请求发送至 <code>https://verifier.login.persona.org/verify</code>。</p> +<h3 id="参数">参数</h3> +<p><code>assertion</code>: 断言由用户提供。作为传给 {{ domxref("navigator.id.watch()") }} 中 <code>onlogin</code> 函数的第一个参数。<br> + <code>audience</code>: 你的站点的协议、域名和端口。 例如, "<code>https://example.com:443</code>"。</p> +<h3 id="返回值">返回值</h3> +<p>调用会返回一个包含 <code>status</code> 元素的 JSON 结构,这个元素值会是 "okay" 或是" failure" 。取决于 <code>status</code> 的值,这个结构包含下面列出的额外元素。</p> +<h4 id="okay">"okay"</h4> +<p>断言是有效的。</p> +<p>在这种情况下 JSON 结构包含下面的额外元素:</p> +<table style="width: 80%;"> + <tbody> + <tr> + <td><code>"email"</code></td> + <td>断言中包含欲登录人的邮件地址。</td> + </tr> + <tr> + <td><code>"audience"</code></td> + <td>断言中包含 audience 值。 期望值为你的网站 URL。</td> + </tr> + <tr> + <td>"<code>expires"</code></td> + <td>断言过期的日期,表示为<a href="/en/JavaScript/Reference/Global_Objects/Date/valueOf" title="en/JavaScript/Reference/Global_Objects/Date/valueOf">Date 对象的原始值</a>: 即从 UTC 1970 年 1 月 1 日午夜至今的毫秒数。</td> + </tr> + <tr> + <td><code>"issuer"</code></td> + <td>发出断言的身份提供者的主机名。</td> + </tr> + </tbody> +</table> +<h4 id="failure">"failure"</h4> +<p>断言是无效的。这种情况下,JSON 结构包含一个额外元素:</p> +<table> + <tbody> + <tr> + <td><code>"reason"</code></td> + <td>一个解释验证失败原因的字符串。</td> + </tr> + </tbody> +</table> +<h3 id="示例">示例</h3> +<h4 id="node.js">node.js</h4> +<p>例中使用了一个采用 express.js 的 node.js 服务器</p> +<pre class="brush: js">var express = require("express"), + app = express.createServer(), + https = require("https"), + querystring = require("querystring"); +/* ... */ + +// audience 值必须匹配你浏览器地址栏显示的值, +// 包括协议、主机名、端口 +var audience = "http://localhost:8888"; + +app.post("/authenticate", function(req, res) { + var vreq = https.request({ + host: "verifier.login.persona.org", + path: "/verify", + method: "POST" + }, function(vres) { + var body = ""; + vres.on('data', function(chunk) { body+=chunk; } ) + .on('end', function() { + try { + var verifierResp = JSON.parse(body); + var valid = verifierResp && verifierResp.status === "okay"; + var email = valid ? verifierResp.email : null; + req.session.email = email; + if (valid) { + console.log("assertion verified successfully for email:", email); + } else { + console.log("failed to verify assertion:", verifierResp.reason); + } + res.json(email); + } catch(e) { + console.log("non-JSON response from verifier"); + // bogus response from verifier! return null + res.json(null); + } + }); + }); + vreq.setHeader('Content-Type', 'application/x-www-form-urlencoded'); + + var data = querystring.stringify({ + assertion: req.body.assertion, + audience: audience + }); + vreq.setHeader('Content-Length', data.length); + vreq.write(data); + vreq.end(); + console.log("verifying assertion!"); +}); + +</pre> +<p>via <a class="link-https" href="https://github.com/lloyd/myfavoritebeer.org/blob/06255b960e1f9078bc935c1c7af0662f33c88818/server/main.js#L112" title="https://github.com/lloyd/myfavoritebeer.org/blob/06255b960e1f9078bc935c1c7af0662f33c88818/server/main.js#L112">Lloyd Hilaiel</a></p> +<h4 id="PHP">PHP</h4> +<pre class="brush: php">$url = 'https://verifier.login.persona.org/verify'; +$assert = $_POST['assert']; +$params = 'assertion='.$assert.'&audience=' . + urlencode('http://example.com:80'); +$ch = curl_init(); +$options = array( + CURLOPT_URL => $url, + CURLOPT_RETURNTRANSFER => TRUE, + CURLOPT_POST => 2, + CURLOPT_POSTFIELDS => $params +); +curl_setopt_array($ch, $options); +$result = curl_exec($ch); +curl_close($ch); +echo $result; +</pre> +<p>Via <a class="link-https" href="https://github.com/codepo8/BrowserID-login-with-PHP/blob/184fdb74c8a554461c262875859968154d09288e/verify.php">Christian Heilmann</a></p> diff --git a/files/zh-cn/mozilla/persona/security_considerations/index.html b/files/zh-cn/mozilla/persona/security_considerations/index.html new file mode 100644 index 0000000000..d955e82d13 --- /dev/null +++ b/files/zh-cn/mozilla/persona/security_considerations/index.html @@ -0,0 +1,55 @@ +--- +title: 安全考虑 +slug: Mozilla/Persona/Security_Considerations +translation_of: Archive/Mozilla/Persona/Security_Considerations +--- +<p>When you add Persona support to your website, Persona takes on as much of the security burden as it can. However, some aspects of security can only be handled by your website. They're listed below.</p> +<h2 id="Essential_practices" name="Essential_practices">Essential practices</h2> +<h3 id="Verify_assertions_on_your_server" name="Verify_assertions_on_your_server">Verify assertions on your server</h3> +<p>When using Persona, identity assertions are passed into the <code>onlogin</code> function passed to {{ domxref("navigator.id.watch()") }}. You should <em>always</em> pass the assertion to your server for verification, and only your server should decide to grant the user additional permissions based on the verification result:</p> +<pre class="brush:js;">// Inside navigator.id.watch({ ... +onlogin: function(assertion) { + // A user wants to log in! Here you need to: + // 1. Send the assertion to your backend for verification and to create a session. + // 2. Update your UI. +}, +</pre> +<p>If you try to verify the assertion using the JavaScript executing in the user's browser, then a malicious user will be able to impersonate a legitimate user of your site by locally injecting code and subverting your JavaScript. This is possible because you're not fully in control of the user's browser, where the code executes.</p> +<p>Again, you should <em>always</em> pass the assertion to your server for verification. Even if you're using the remote verification API.</p> +<h3 id="Explicitly_specify_the_audience_parameter" name="Explicitly_specify_the_audience_parameter">Explicitly specify the audience parameter</h3> +<p>To verify an assertion, you may issue a POST request to<code> https://verifier.login.persona.org/verify</code>. The request includes a parameter called <code>audience</code>:</p> +<pre><code>assertion=<ASSERTION>&audience=https://mysite.com:443"</code></pre> +<p>The <code>audience</code> parameter is required. You should always specify the audience explicitly in your code, or in your code's configuration. Specifically:</p> +<ul> + <li>Do not trust the Host header sent by the user's browser.</li> + <li>Do not trust an explicit parameter sent by the user's browser, but generated by your JavaScript using, e.g. <code>document.location</code>.</li> +</ul> +<p>If you trust the user's browser to tell you the audience, then it becomes possible for a malicious web site to reuse assertions for <em>its</em> web site to log into <em>your</em> web site.</p> +<h3 id="Verify_SSL_certificates" name="Verify_SSL_certificates">Verify SSL certificates</h3> +<p>To verify an assertion, you may issue a POST request to <code>https://verifier.login.persona.org/verify</code>. You must ensure that your HTTPS request verifies the certificate sent from the server against a trusted root certificate. If you don't, then an attacker could pose as <code>verifier.login.persona.org</code> and issue false verifications.</p> +<p>Check that the library you are using to make the request verifies certificates correctly, and that you are initializing it with the appropriate root certificate(s).</p> +<p>For example, Python 2.7's standard <a class="external" href="http://docs.python.org/release/2.7.3/library/urllib2.html#urllib2.urlopen" title="http://docs.python.org/release/2.7.3/library/urllib2.html#urllib2.urlopen">urllib2 module</a> does not validate server certificates. Instead, we recommend using the "<a class="external" href="http://pypi.python.org/pypi/requests">requests</a>" or "<a class="external" href="http://pypi.python.org/pypi/urllib3" title="http://pypi.python.org/pypi/urllib3">urllib3</a>" modules in Python 2.x, or the standard <code>http.client.HTTPSConnection</code> class in Python 3.x. For Perl, ensure that you are using at least version 6.0 of <code>libwww-perl</code>. Depending on the language, library, and operating system that you're using, you may need to supply either a list of trusted CA roots or the single CA used by <code>verifier.login.persona.org</code>.</p> +<h3 id="Implement_CSRF_protection" name="Implement_CSRF_protection">Implement CSRF protection</h3> +<p>In a CSRF (Cross-Site Request Forgery) login attack, an attacker uses a cross-site request forgery to log the user into a web site using the attacker's credentials.</p> +<p>For example: a user visits a malicious web site containing a <code>form</code> element. The form's <code>action</code> attribute is set to an HTTP POST request to <a class="external" href="http://www.google.com/login" title="http://www.google.com/login">http://www.google.com/login</a>, supplying the attacker's username and password. When the user submits the form, the request is sent to Google, the login succeeds and the Google server sets a cookie in the user's browser. Now the user's unknowingly logged into the attacker's Google account.</p> +<p>The attack can be used to gather sensitive information about the user. For example, Google's <a class="link-https" href="https://www.google.com/history/">Web History</a> feature logs all the user's Google search terms. If a user is logged into the attacker's Google account and the attacker has Web History enabled, then the user is giving the attacker all this information.</p> +<p>CSRF login attacks, and potential defenses against them, are documented more fully in <a class="external" href="http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf">Robust Defenses for Cross-Site Request Forgery</a> (PDF). They're not specific to Persona: most login mechanisms are potentially vulnerable to them.</p> +<p>There are a variety of techniques which can be used to protect a site from CSRF login attacks, which are documented more fully in the study above.</p> +<p>One approach is to create a secret identifier in the server, shared with the browser, and require the browser to supply it when making login requests. For example:</p> +<ol> + <li>As soon as the user lands on your site, before they try to log in, create a session for them on the server. Store the session ID in a browser cookie.</li> + <li>On the server, generate a random string of at least 10 alphanumeric characters. A randomly generated UUID is a good option. This is the CSRF token. Store it in the session.</li> + <li>Deliver the CSRF token to the browser by either embedding it in JavaScript or HTML as a hidden form variable.</li> + <li>Ensure that the AJAX submission or form POST includes the CSRF token.</li> + <li>On the server side, before accepting an assertion, check that the submitted CSRF token matches the session-stored CSRF token.</li> +</ol> +<h2 id="Enhancements" name="Enhancements">Enhancements</h2> +<h3 id="Content_Security_Policy_(CSP)" name="Content_Security_Policy_(CSP)">Content Security Policy (CSP)</h3> +<p><a href="/en-US/docs/Security/CSP" title="Security/CSP">Content Security Policy</a> (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.</p> +<p>If you use CSP on your site, you may need to tweak your policy to enable Persona. Depending on your policy, you may need to:</p> +<ul> + <li>Remove inline <code>javascript:</code> URIs and replace them with code loaded from an additional script file. The file can look up elements based on their ID, and then attach to the element by setting {{ domxref("element.onclick", "onclick") }} or calling {{ domxref("element.addEventListener()", "addEventListener()") }}.</li> + <li>Allow <code>https://login.persona.org</code> as both a <code>script-src</code> and <code>frame-src</code> so that your site can load the remote <code>include.js</code> file and that file can communicate with the fallback Persona implementation.</li> +</ul> +<p>An example Apache configuration might include:</p> +<pre><span class="diff-content"><span class="idiff">Header set X-Content-Security-Policy: "default-src 'self'; frame-src 'self' https://login.persona.org ; script-src 'self' https://login.persona.org"</span></span></pre> diff --git a/files/zh-cn/mozilla/persona/why_persona/index.html b/files/zh-cn/mozilla/persona/why_persona/index.html new file mode 100644 index 0000000000..d7d96a46fc --- /dev/null +++ b/files/zh-cn/mozilla/persona/why_persona/index.html @@ -0,0 +1,30 @@ +--- +title: 为什么使用 Persona? +slug: Mozilla/Persona/Why_Persona +translation_of: Archive/Mozilla/Persona/Why_Persona +--- +<p style="">流行的用户名和密码系统并非长久之计:用户需要为每个他们使用的站点和服务创建并记住一个新的、复杂的密码,并且每个站点都要安全地存储密码。尽管如此,最近的事故证明了即使是巨头级的大公司也在密码安全上失误,这让他们的用户信息暴露在风险中。</p> +<p style="">Persona 是一个开放的、分布式、web 规模的身份识别系统,它取代了每个网站一个密码的局面。它解决了像 OpenID 这样系统的可用性和隐私相关的缺点而不诉诸于 Facebook Connect 这样的中心化基础架构。</p> +<h2 id="Persona_摆脱了每站一密码">Persona 摆脱了每站一密码</h2> +<p>Persona 让用户在完成一个用于身份识别的简单一次性过程后只需点击两次即可登入网站,而不是每站一密码。这是在公钥密码学上构建的,安全可靠。用户的浏览器生成一个加密的“身份断言”来代替密码,它在几分钟后会过期并只在单个站点上有效。因为没有站点特定的密码,使用 Persona 的网站不需要关心密码数据库如何妥善存储或是丢失隐患。</p> +<p>这个快捷的登入过程也减少了用户访问新站点的摩擦。</p> +<h2 id="Persona_身份是电子邮件地址">Persona 身份是电子邮件地址</h2> +<p>Persona 使用邮件地址作为身份,而不是任意形式的用户名。这让用户和开发者有所裨益:</p> +<h3 id="用户使用邮件地址的优势">用户使用邮件地址的优势</h3> +<ul> + <li>用户已经知道他们的邮件地址,相反,用 OpenID 要学习新的且可能令人困惑的 URL。</li> + <li>电子邮件地址灵巧地捕捉了 <code>someone@some-context</code> 的概念,易于用户区分 <code>@work</code>、 <code>@home</code> 或 <code>@school</code> 的身份。这与像 Facebook 和 Google+ 社交网络上的通过实名、单账号策略的身份合并趋势不同。</li> + <li>电子邮件可以自托管或委托给其它服务商,用户可以控制他们的身份。</li> +</ul> +<h3 id="开发者使用邮件地址的优势">开发者使用邮件地址的优势</h3> +<ul> + <li>邮件地址让开发者可以直接联系他们的用户。</li> + <li>大多数站点需要他们用户提供邮件地址,Persona 会在用户登入时自动提供,消除了额外的注册表单。</li> + <li>许多登录系统已经把邮件作为唯一键。这意味着不仅会被 Person 束缚,而且它可以与现有的登录系统并列部署。</li> +</ul> +<p>更不必说电子邮件已经是一个横跨无数服务提供者的有数以亿计账户的分布式系统。</p> +<h2 id="Persona_与其它单点登录服务提供商有何区别?" style="">Persona 与其它单点登录服务提供商有何区别?</h2> +<p>Persona 安全、可靠,并且简单。它用其它提供商保护不用或不能的方法来用户隐私、用户控制和用户选择:</p> +<p>许多社交网络,诸如 Facebook 和 Google+,需要用户使用真名,并限制用户到单个账户。通过构建在邮件地址上,Persona 允许用户区分它们的工作、家庭、学校以及其它身份。</p> +<p>Persona 是开放的,也是分布式的:任何有电子邮件地址的人都可以登入使用 Persona 的站点。除此之外,任何人可以建立他们自己的身份提供者或委托给其它的权威机构,就像用电子邮件。这与需要一个单一中心化服务账号的社交登录服务相反。</p> +<p>Persona 也通过把用户浏览器放进认证过程中来提供保护用户隐私的新颖手段:浏览器从用户的邮件提供商获取证书,然后转向并把那些证书呈递给网站。电子邮件供应商不可能追踪用户,但网站仍然可以通过密码学验证证书来继续信任用户。大多数其它系统,即使是如 OpenID 这样的分布式系统,需要站点“背景连接通信(phone home)”才允许用户登入。</p> |