使用OpenID的Web服务身份验证 [英] Web Service Authentication using OpenID
问题描述
我将为新的公共网站开发REST-ful Web Service. Web服务背后的想法是让第三方为业务逻辑开发功能齐全的UI.
出于安全原因,我希望避免用户向第三方应用程序提供其服务密码. (也许这应该不是一个大问题?)相反,我希望在我们的网站上实现某种登录系统,该系统向第三方应用程序提供身份验证令牌,但不让他们使用实际密码.
这使我认为OpenID可能是这里的潜在解决方案.在我看来,它应该可以正常工作:实际的密码由OpenID提供程序处理,因此它与第三方应用程序无关.我认为麻烦可能出在各种穿透上,但这应该是可以解决的.
但是,令人惊讶的是缺乏有关Google的信息,因此,我希望获得SO的意见.以前有人实施过类似的系统吗?可能吗?麻烦值得吗?
我完全同意您想要的是OAuth;我说这曾在OAuth和OpenID系统上工作过.我也去过你的船几次,不得不开发REST Web服务api.
有关OAuth的一个很好的主意,以及为什么要使用它,请参阅以下附带的文章:
这些必须阅读,共有四个部分,全部阅读: http://hueniverse.com/oauth/guide/
RFC,请阅读以上内容,因为它对大多数人来说可能有点令人生畏: http://oauth.net/core/1.0
最后可能是一些代码.我托管了几个使用Java/Groovy进行OAuth的项目.一个是普通的老式OAuth客户端,另一个是用于与NetFlix进行特定交互的客户端. http://www.blueleftistconstructor.com/projects/
如果您对REST相对缺乏经验(尚未构建完整的Web API),我建议您购买(或更好地让您的老板使用)Richardson&的"RESTful Web Services".红宝石.这是一本奥赖利的书.我可以说,这是过去几年里他们发行的更好的书之一.
查看一些基于RESTful OAuth的API也可能会有所帮助. NetFlix API是一个完美的示例: http://developer.netflix.com/docs
祝你好运,编码愉快!
I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.
For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.
This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.
However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble?
I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.
For a really good ideas on OAuth, and why it is what you want see these attached article:
These are must read, there are four parts read them all: http://hueniverse.com/oauth/guide/
the RFC, read after reading above as it can be a little daunting for most: http://oauth.net/core/1.0
And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix. http://www.blueleftistconstructor.com/projects/
If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.
It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docs
Good luck and happy coding!
这篇关于使用OpenID的Web服务身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
