REST API登录模式 [英] REST API Login Pattern
问题描述
我创建一个REST API,密切关注apigee建议,用名词动词没有,API版本烤成的网址,每收集两个API的路径,GET POST PUT DELETE用法等。
I am creating a REST api, closely following apigee suggestions, using nouns not verbs, api version baked into the url, two api paths per collection, GET POST PUT DELETE usage, etc.
我工作的登录系统,但不能确定适当的休息方式登录的用户。我并不在这一点上,只是在登录模式或流量的工作安全性。 (稍后我们将增加2步的OAuth,与HMAC等)
I am working on the login system, but unsure of the proper REST way to login users. I am not working on security at this point, just the login pattern or flow. (Later we will be adding 2 step oAuth, with an HMAC, etc)
可能选项
- 的帖子中类似
的https://api...com/v1/login.json - a将要像
的https://api...com/v1/users.json - 的东西我没有,虽然... 的
什么是适当的休息风格在用户登录?
What is the proper REST style for logging in users?
推荐答案
现代Web的原则性设计建筑由Roy Fielding的T.和Richard N.泰勒,所有REST术语是从哪里来的作品即序列,包含客户端 - 服务器交互的定义:
Principled Design of the Modern Web Architecture by Roy T. Fielding and Richard N. Taylor, i.e. sequence of works from all REST terminology came from, contains definition of client-server interaction:
所有REST相互作用的 无国籍 的。也就是说,每个 请求包含
所有的必需的信息的连接器,了解
要求,独立,可能有$ P $任何请求pceded它 的。
All REST interactions are stateless. That is, each request contains all of the information necessary for a connector to understand the request, independent of any requests that may have preceded it.
这限制完成四大功能,第一和第三重要的是在这种特殊情况下:
This restriction accomplishes four functions, 1st and 3rd is important in this particular case:
- 的 1 的:它的删除任何需要的连接器保持应用程序状态
请求之间,物理资源从而降低消耗
并提高可扩展性; - 的 3 的:它可以让中介来查看和了解隔离的要求
这可能是必要的,当服务被动态地重新排列;
- 1st: it removes any need for the connectors to retain application state between requests, thus reducing consumption of physical resources and improving scalability;
- 3rd: it allows an intermediary to view and understand a request in isolation, which may be necessary when services are dynamically rearranged;
现在让我们回到您的安全情况。每一个请求应该包含所有必需的信息,并授权/认证也不例外。如何实现这一目标?从字面上把所有需要的信息通过电线与每个请求。
And now lets go back to your security case. Every single request should contains all required information, and authorization/authentication is not an exception. How to achieve this? Literally send all required information over wires with every request.
一个例子如何既成功又流行,这是 基于哈希的消息验证code 或 HMAC 。实际上,这意味着将当前消息的哈希值code每一个要求。通过的加密散列函数的联合计算哈希值code进行的秘密密钥的。的加密散列函数的要么是predefined或 code点播的一部分的REST概念(例如JavaScript的)。的秘密密钥的应该由服务器提供给客户端的资源,客户端使用它来计算哈希值code为每个请求。
One of examples how to archeive this is hash-based message authentication code or HMAC. In practice this means adding a hash code of current message to every request. Hash code calculated by cryptographic hash function in combination with a secret cryptographic key. Cryptographic hash function is either predefined or part of code-on-demand REST conception (for example JavaScript). Secret cryptographic key should be provided by server to client as resource, and client uses it to calculate hash code for every request.
有很多的 HMAC 的实施例子,但我希望你要注意以下三种:
There are a lot of examples of HMAC implementations, but I'd like you to pay attention to the following three:
- 身份验证REST请求亚马逊简单存储服务(Amazon S3的)
- 由Mauriceless回答quiestion:如何实现HMAC认证以RESTful API WCF
- 加密JS:标准和安全的加密算法JavaScript实现
- Authenticating REST Requests for Amazon Simple Storage Service (Amazon S3)
- Answer by Mauriceless on quiestion: "How to implement HMAC Authentication in a RESTful WCF API"
- crypto-js: JavaScript implementations of standard and secure cryptographic algorithms
如果客户知道密钥,那么它的准备与资源工作。否则,他将暂时重定向(状态code 307临时重定向)授权并获得密钥,然后重定向回原始资源。在这种情况下,存在的无需事先知道(即硬code某处)什么的URL来授权客户端的,并有可能调整该模式随时间
If client knows the secret key, then it's ready to operate with resources. Otherwise he will be temporarily redirected (status code 307 Temporary Redirect) to authorize and to get secret key, and then redirected back to the original resource. In this case there is no need to know beforehand (i.e. hardcode somewhere) what the URL to authorize the client is, and it possible to adjust this schema with time.
希望这将帮助您找到妥善的解决办法!
Hope this will helps you to find the proper solution!
这篇关于REST API登录模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
