基于REST的API认证 [英] RESTful API Authentication
问题描述
我发现在等这个话题了不少问题,但找不到任何回答这个问题:
I have found quite a few questions on this topic on SO, but couldn't find any answering this question:
我应该验证具有自己的用户名和密码的用户,或与API密钥?什么是每种方法的优点和缺点。
Should I validate users with their username and password, or with an API key? And what are the pros and cons of each method.
我问这个,因为在我的API,有一对夫妇,我想锁定并验证用户有权访问某些文件或动作方法。我有点不情愿通过让用户因为感觉不安全的多为用户带来麻烦的一点发送带有用户名和密码的HTTP AUTH头进行身份验证。在另一方面,虽然如果我使用一个API密钥,什么是有史以来创建密码的用户的意义呢?因为他们将不再使用它访问API的功能。
I ask this because in my API, there are a couple of methods I'd like to lock down and verify that the user has access to some document or action. I'm a bit reluctant to authenticate by having the user send an HTTP AUTH header with their username and password because it feels unsecured and a bit more of a hassle for the user. On the other hand, though, if I use an API key, what's the point of the user ever creating a password? As they will no longer be using it to access features of the API.
更新
如果这个其他读者好奇最后我用,我决定复制亚马逊如何做自己的验证(在这里很好的解释:<一href=\"http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/\">http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
If other readers of this are curious what I ended up using, I decided to copy how Amazon does their validation (good explanation here: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/)
推荐答案
您可以使用HTTP认证通过SSL,这就是足够安全。然而,它使API有点难度的消费,因为它需要客户端库来支持SSL。 SSL可以影响性能的太多,如果你同时期望太多调用。
you can use HTTP Authentication over SSL and that's secure enough. However it makes consumption of API a bit difficult as it requires the client library to support SSL. SSL can affect the performance too if you're expecting too many calls simultaneously.
API密钥选项,就像没有SSL HTTP验证不安全。如果你不关心安全性,然后API密钥是最容易对消费者的API。
API key option is just as insecure as HTTP Authentication without SSL. If you're not concerned with security then API Key is the easiest for consumers of the API.
这篇关于基于REST的API认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
