人们如何办理REST风格的API(技术无关)认证 [英] How do people handle authentication for RESTful api's (technology agnostic)
问题描述
我在看一些构建移动应用程序。因此,这些应用程序将通过JSON和通过REST'谈'到我的服务器(例如,PUT,POST等)。
如果我想确保客户端手机应用程序正在试图做一些事情,需要一些'许可',如何人处理?
例如:
我们的网站销售的东西 - >电视,汽车的,连衣裙等API会
让人们浏览商店和购买物品。买,你需要
是登录。我需要确保该人谁正在使用
他们的手机,真的是他们。如何才能做到这一点?
我看了一下微博是如何与他们的OAuth的做它..它看起来像他们有一个请求标头的数值呢?如果是这样(我喜欢八九不离十这种做法),是有可能,我可以使用其他第三方的网站存储的用户名/密码(如Twitter或Facebook是OAuth的供应商)..而我要做的就是以某种方式检索自定义头数据..并确保它存在于我的数据库.. ..别人让他们与他们的OAuth的认证供应商?
还是有另一种方式?
PS。我真的不喜欢有API密钥的想法 - 我觉得它可以很容易交给另一个人,使用(这是我们不能冒这个险)
解决方案
我们的网站销售的东西 - >电视,汽车的,连衣裙等API会
让人们浏览商店和购买物品。买,你需要
是登录。我需要确保该人谁正在使用
他们的手机,真的是他们。如果这真的是一个要求,那么你需要存储用户的身份在您的系统。身份跟踪的最流行的形式是通过用户名和密码。
我看了一下微博是如何与他们的OAuth的做它..它
看起来他们在一个请求标头的数值呢?如果是这样
(我喜欢八九不离十这种做法),是有可能,我可以使用
另一个第三方作为网站存储的用户名/密码(例如
Twitter或Facebook是OAuth的供应商)..而我要做的就是
不知何故检索定制头数据..并确保它存在于
我的数据库.. ..别人让他们与他们的供应商的OAuth认证?您在这里混淆了两个不同的技术,的OpenID 并的 OAuth的(不心疼,很多人得到绊倒在这一点)。 OpenID的,您可以推迟识别跟踪和验证到的提供商的,然后再接受你的应用程序,这些身份,为的接受的或的依赖方的。另一方面的OAuth允许应用(消费者),以访问属于另一个应用程序或系统的用户数据,而不会影响其他应用程序核心的安全性。如果你想第三方开发人员访问代表用户的你的API(这是不是你想要做的事,你已经指出),你会站起来的OAuth。
有关规定的要求,你绝对可以看看打开ID集成到你的应用程序。有可用于集成许多图书馆,但既然你问了一个不可知的答案,我就不一一列举任何人。
还是有另一种方式?
当然。您可以存储用户ID在你的系统,并使用基本或的消化认证,以确保您的API。基本身份验证要求您的要求只有一个(很容易计算)附加头:
授权:基本QWxhZGRpbjpvcGVuIHNlc2FtZQ ==如果您使用基本或摘要式身份验证,然后确保你的API端点与SSL保护,否则用户凭据可以很容易地在空中嗅探。你也可以去前面的用户标识,而是有效地进行身份验证时,透过信用卡结账信息用户,但是这是一个主观判断。
i'm looking at building some mobile applications. Therefore, these apps will 'talk' to my server via JSON and via REST (eg. put, post, etc).
If I want to make sure a client phone app is trying to do something that requires some 'permission', how to people handle this?
For example:
Our website sells things -> tv's, car's, dresses, etc. The api will allow people to browse the shop and purchase items. To buy, you need to be 'logged in'. I need to make sure that the person who is using their mobile phone, is really them.
How can this be done?
I've had a look at how twitter does it with their OAuth .. and it looks like they have a number of values in a REQUEST HEADER? If so (and I sorta like this approach), is it possible that I can use another 3rd party as the website to store the username / password (eg. twitter or Facebook are the OAuth providers) .. and all I do is somehow retrieve the custom header data .. and make sure it exists in my db .. else .. get them to authenticate with their OAuth provider?
Or is there another way?
PS. I really don't like the idea of having an API key - I feel that it can be too easily handed to another person, to use (which we can't take the risk).
解决方案Our website sells things -> tv's, car's, dresses, etc. The api will allow people to browse the shop and purchase items. To buy, you need to be 'logged in'. I need to make sure that the person who is using their mobile phone, is really them.
If this really is a requirement then you need to store user identities in your system. The most popular form of identity tracking is via username and password.
I've had a look at how twitter does it with their OAuth .. and it looks like they have a number of values in a REQUEST HEADER? If so (and I sorta like this approach), is it possible that I can use another 3rd party as the website to store the username / password (eg. twitter or Facebook are the OAuth providers) .. and all I do is somehow retrieve the custom header data .. and make sure it exists in my db .. else .. get them to authenticate with their OAuth provider?
You are confusing two differing technologies here, OpenID and OAuth (don't feel bad, many people get tripped up on this). OpenID allows you to defer identify tracking and authentication to a provider, and then accept these identities in your application, as the acceptor or relying party. OAuth on the other hand allows an application (consumer) to access user data that belongs to another application or system, without compromising that other applications core security. You would stand up OAuth if you wanted third party developers to access your API on behalf of your users (which is not something you have stated you want to do).
For your stated requirements you can definitely take a look at integrating Open ID into your application. There are many libraries available for integration, but since you asked for an agnostic answer I will not list any of them.
Or is there another way?
Of course. You can store user id's in your system and use basic or digest authentication to secure your API. Basic authentication requires only one (easily computed) additional header on your requests:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==If you use either basic or digest authentication then make sure that your API endpoints are protected with SSL, as otherwise user credentials can easily be sniffed over-the-air. You could also fore go user identification and instead effectively authenticate the user at checkout via credit card information, but that's a judgement call.
这篇关于人们如何办理REST风格的API(技术无关)认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
