什么是 API 令牌 [英] What is an API token
问题描述
我正在努力为我的移动应用程序(iOS 和 Android)和 API (PHP) 找出处理用户身份验证的最佳方法.
I'm trying to work out the best way to handle user authentication for my mobile application (iOS & Android) and API (PHP).
根据我的研究,选项是:
From what I've researched the options are:
基于 HTTPS 的基本身份验证 - 针对每个请求检查用户的用户名/密码.
Basic auth over HTTPS - Check username/password of the user for every request.
Sessions - 随每个请求发送一个会话 ID;服务器维护状态.因此,应用会发送用户名/密码,然后服务器会在后续请求中检查登录用户,就像我的网站一样.
Sessions - Send a session ID with each request; server maintains state. So app sends username/password and server checks for a logged in user on subsequent requests, just like my website does.
API 令牌 - 移动应用发送用户名/密码并接收回令牌,然后将其附加到后续请求中.令牌存储在数据库中并在每个请求上进行检查.
API tokens - Mobile app sends username/password and receives a token back, then appends this to subsequent requests. Token stored in DB and checked on each request.
我猜我对 API 令牌的解释不正确,因为它们看起来与会话相同,因为我将会话 ID 存储在数据库中.
I'm guessing my explanation of API tokens is incorrect as they seem identical to sessions because I store session ID's in the DB.
- 能否更正我对 API 令牌的解释.它们是为了什么?它们与会话 ID 有何不同?
- API 令牌有哪些优点?
- oAuth(如果我们要简化其使用)是否只是用于创建API 令牌"的协议?
推荐答案
我不是专家,但我会给你我捡到的几美分:
I'm no expert but I'll give you a couple of cents I've picked up:
1) API 令牌有点笼统.通常,API 令牌是请求访问您的服务的应用程序的唯一标识符.您的服务将生成一个 API 令牌供应用程序在请求您的服务时使用.然后,您可以将他们提供的令牌与您存储的令牌进行匹配以进行身份验证.
1) API Tokens is a bit of a general term. Usually an API token is a unique identifier of an application requesting access to your service. Your service would generate an API token for the application to use when requesting your service. You can then match the token they provide to the one you store in order to authenticate.
可以使用会话 ID,但其用途与 API 令牌不同.会话 ID 不是身份验证的一种形式,而是授权的结果.通常,一旦用户被授权使用资源(例如您的服务),就会建立会话.因此,当授予用户访问资源的权限时,会创建会话 ID.API 令牌是类似于用户名/密码的身份验证形式.
A session id can be used but its purpose is different to the API token. The session id is not a form of authentication but rather a result of authorisation. Typically a session is established once a user has been authorised to use a resource (such as your service). Therefore a session id is created when a user is granted access to a resource. An API token is the form of authentication similar to a username/password.
2) API 令牌可以替代通过 HTTP 发送一些不安全的用户名/密码组合.但是问题仍然存在,有人可以取而代之使用 API 令牌.
2) API tokens are a replacement to sending some username/password combination over HTTP which is not secure. However the problem still exists that someone could take and use the API token instead.
3) 在某种程度上是的.这是一种保持 API 令牌新鲜"的方法.当您想要使用服务时,您不需要传递相同的 API 令牌,而是请求访问令牌.OAuth 2.0 步骤如下:
a) 使用某种凭据发送到服务的请求
b) 成功响应返回一个代码
c) 使用代码发出另一个服务请求
d) 成功的响应会返回用于签署每个 API 请求的访问令牌,直到完成.
3) In a way yes. It's a method for keeping API tokens "fresh". Instead of passing around the same API token you request an access token when you want to use a service. The OAuth 2.0 steps are as follows:
a) Request sent to service with credentials of some kind
b) Successful response returns a code
c) Another request to service is made with the code
d) Successful response returns the access token for signing each API request from then until finish.
目前,许多大型服务提供商都在使用 OAuth 2.0.这不是一个完美的解决方案,但它可能是目前使用的最安全、最广泛的 API 安全方法.
A lot of the bigger service providers use OAuth 2.0 at the moment. It's not a perfect solution but it's probably the most secure, wide-spread, API security method used at the moment.
这篇关于什么是 API 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
