用户可以欺骗Google帐户的Google身份验证域吗?

时间:2013-12-04 15:07:43

标签: c# asp.net security oauth asp.net-webpages

我正在使用OAuth作为我的ASP.Net,网页(带有C#)网站,有一天它将成为一个公共网站。在这个公共站点中,有一个部分CMS实现,只允许有员工电子邮件的用户(即来自我们公司域的电子邮件,例如“ourcomp.net”)注册。我们公司的域名/电子邮件是通过Gmail管理的。

我已经设置了OAuth(仅限Google)进行登录,效果很好,但我想知道我目前正在检查电子邮件地址字符串的最后一部分,在注册时,对于我们公司的域名是多么安全,例如这样:

var result = OAuthWebSecurity.VerifyAuthentication(Href("~/Account/RegisterService", new { returnUrl }));

if (result.IsSuccessful)
{
    bool registered = OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false);

    if (registered)
    {
        Context.RedirectLocal(returnUrl);
        return;
    }

    email = result.UserName;

    if (!EmailValidator.IsEmailAdress(email)) //Simple Regex to check email string.
    {
        errorMessage = "The email address supplied was not a valid email address. ";
        errorMessage += "Please return to the main page and try again. If the problem ";
        errorMessage += "persists, please notify a site administrator for help.<br/><br/>";
        errorMessage += "<a class=\"retreatLink\" href=\"/\">Main Page</a>";
    }

    if (!email.EndsWith("@ourcomp.net")) //**THIS IS THE PART IN QUESTION**
    {
        errorMessage = "Your email address was valid, however, it seems that it's ";
        errorMessage += "not a \"City of Okmulgee\" email address. Please ensure that ";
        errorMessage += "your email address is part of the \"@ourcomp.net\" domain.<br/><br/>";
        errorMessage += "If you are having trouble changing your email address ";
        errorMessage += "try visiting Google's <a href=\"https://mail.google.com\">Gmail</a> ";
        errorMessage += "page and logging out. After you have logged out of gmail, revisit ";
        errorMessage += "the <a href=\"/\">main page</a> and click the ";
        errorMessage += "\"Log-in!\" button again. Then, when prompted by Gmail services, ";
        errorMessage += "log back in using a valid \"ourcomp.net\" email address.<br/><br/>";
        errorMessage += "For more help visit <a href=\"https://support.google.com/mail/answer/8154?hl=en\">";
        errorMessage += "Gmail Help</a> for quick steps on how to log-out of your Gmail account.";
    }
}

更多的代码/安全性从这里开始,但我想我已经为这个问题提供了足够的信息(如果没有,请告诉我)。有没有办法让随机公共用户“欺骗”他们的域名,从而通过我的if (!email.EndsWith("@ourcomp.net"))支票,而实际上并不是我们公司域名的成员?我知道有些人可以通过他们想要的任何电子邮件地址发送电子邮件,但我不希望他们能以这种方式“登录”Google,对吧?我需要知道,以便我知道在审核之前是否需要锁定所有新帐户(或者可能是其他方法)。

请原谅我在OAuth和Google身份验证方面缺乏知识,我对ASP.Net的这一部分仍然很陌生,毫不奇怪,我无法在网上找到任何内容。

0 个答案:

没有答案
相关问题
最新问题