如何在REST服务上验证我的应用程序？ [英] How do I authenticate my app on a REST service?

问题描述

大家好，



我有一个WEBAPI REST服务（这是一个中间层），它使用用户名和密码在另一个服务（WCF服务）上进行身份验证从那里获取数据。



由于我的WebAPI是REST服务，因此它是无状态的。在我看来，这意味着从我的电话到WEBAPI的每个服务调用都会导致我在WCF服务上的WebAPI进行新的身份验证过程。到目前为止？



现在怎么办呢？

我每次都要通过手机发送用户名/密码组合吗？到我的WebAPI，以便webAPI可以在其他WCFService上进行身份验证吗？



或者是一种映射身份验证令牌的推荐方法（不需要包含用户名和密码然后在WebAPI服务上的用户名/密码组合？



我找不到一个简单的解决方案。有人有想法吗？我需要一个客户端和服务器端代码的简单示例，以了解如何完成此操作。



我的想法是：



1.从手机发送用户名和密码到WebAPI

2.将认证令牌发送回手机

3.拨打另一个WebApi - RESTService来自电话并在标题中发送身份验证令牌

4. ??如何在WebAPI服务上验证此令牌以及如何将其连接到用户？





任何人都可以写一个简单的文章虚拟代码？



非常感谢！

Hello everybody,

I have a WEBAPI REST Service (which is kind of a middle layer) wich authenticates on another service (WCF Service) with username and password and gets it's data from there.

Since my WebAPI is a REST Service, it is stateless. In my opinion this means that every servicecall from my Phone to the WEBAPI leads to a new authentication process from my WebAPI on the WCF-Service. Right so far?

Now how could this be done?
Do I have to send the username/password combination every time from my phone to my WebAPI, so that the webAPI can authenticate on the other WCFService?

Or is the recommended way to kind of map the authentication-token (which would not have to contain username and password then) to a username/password combination on the WebAPI Service?

I could not find a simple solution for this. Does anybody have an idea? I would need a simple example of client-side and server-side code for understanding how this could be done.

My thoughts were:

1. Send username and password from phone to WebAPI
2. Send authentication token back to phone
3. Call another WebApi - RESTService from phone and send authentication token in header
4. ?? How do I validate this token on the WebAPI Service and how do I connect it to a user?


Could anyone write a simple piece of dummy-code?

Thank you very much!

推荐答案

我遇到了同样的问题之前。除了认证会话的概念之外，一切都是无国籍的。



您可以在每次通话时发送用户名/密码，但这是梭芯。



我认为所有其他替代方案都需要将一些状态存储在服务器上。我们提供了一个基本的登录功能（用户名/密码），如果经过身份验证，则会创建一个包含授权信息的会话。我们使用GUID来执行此操作的密钥，因此在成功进行身份验证时会将其传回。



然后后续的电话有类似的内容？token =< guid>& this =在网址中。



Sessions需要内置一些生存时间（TTL），以便它们在一段时间后过期。如果客户端收到会话过期消息，则必须准备好在重试实际请求之前重新发送登录请求。 TTL会在每次通话时更新。



当然，您需要TLS，因为GUID会在会话期间有效地成为您。



不是说这是一个很好的解决方案，但它确实有效。

I've had this same problem before. Everything is stateless apart from the concept of an authenticated session.

You could send username/password on each call but that's bobbins.

All the other alternatives I think require some state to be stored on the server. We provided a basic Login function (username/password) which if authenticated created a 'session' containing the authorization information. We used a GUID to act a key to this, so on successful authentication this is passed back.

Then subsequent calls have something like ?token=<guid>&this=that in the url.

Sessions need some sort of time-to-live (TTL) built into them so they expire after a while. If the client gets a session expired message, it must be prepared to resend the login request prior to retrying the actual request. The TTL is updated on each call.

Of course, you'll need TLS because that GUID effectively becomes you for the duration of the session.

Not saying this is a great solution, but it worked.

这篇关于如何在REST服务上验证我的应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！