什么是 OAuth，它如何保护 REST API 调用? [英] What is OAuth and how does it secure REST API calls?

问题描述

我有移动应用 REST API 调用，它在没有任何令牌或安全机制的情况下访问我的服务器.

I have mobile application REST API calls which hits to my server without any token or security mechanisam.

我想保护我的 API 调用.我想了解什么是 OAuth 以及它如何保护我的移动应用程序 REST API 调用，这些调用正在访问我的服务器?

I want to secure my API calls. I am trying to understand what is OAuth and how it will secure my mobile app REST API calls which are hitting to my server?

我还想详细了解 OAuth 中使用的以下字段.我将从哪里获得以下字段.

Also I want to know in details about the below fields which are used in OAuth . From where I will get below fields.

Consumer Key
Consumer Secret
Token
Token Secret
Timestamp
Nonce

推荐答案

由于大多数提供商使用 OAuth 2.0 并且 OAuth 1.0 已被主要提供商弃用，我将解释 OAuth2.0

Since most of providers use OAuth 2.0 and OAuth 1.0 has been deprecated by major providers, I will explain OAuth2.0

OAuth 是一种开放的授权标准，通常用作互联网用户使用其 Microsoft、Google、Facebook、Twitter、One Network 等帐户登录第三方网站而不暴露其密码的一种方式.

OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.

您可以实现自己的 OAuth 服务器，这里我将解释社交身份验证.所以这里的 OAuth 一词是指使用 OAuth 进行社交验证.

you can implement your own OAuth server, here I am explaining about social auth. so the term OAuth here after refers to social auth with OAuth.

通俗地说，OAuth 允许用户使用帐户(Facebook、Google 等)登录您的网络服务.

In layman's terms, OAuth lets users login to your web service with accounts(Facebook, Google etc).

术语:

• 客户:您的 API 的用户.
• 资源所有者(API 服务器):您的 API
• 授权服务器(身份验证服务器): Facebook/Google 等身份验证服务器.
• 授权授予:您授权用户的方法.我们在这里使用授权码.
• 授权码: auth 服务器返回给客户端的代码，可以在 api 服务器上交换访问令牌.
• 访问令牌:用于标识用户的字符串，通常带有有效期.
• 消费者密钥或 APP_ID: 身份验证服务器用来识别您的应用程序的公钥.
• Consumer Secret 或 APP_SECRET:应该保密的私钥.

Terminology:

• client: The user of your API.
• Resource Owner (api server): Your API
• Authorization Server (auth server): Facebook/Google etc auth server.
• Authorization grant: the method by which you authorize a user. we are using Authorization code here.
• Authorization code: A code that the auth server returns to the client which can be exchanged for an access token at the api server.
• Access Token: A string that identifies a user, usually comes with an expiry period.
• Consumer Key or APP_ID: a public key used by auth server to identify your application.
• Consumer Secret or APP_SECRET: a private key which should be kept confidential.

以下术语与 OAuth 无关，但与 OAuth 一起使用以使其更安全.

the below terms has nothing to do with OAuth but are used with OAuth to make it more secure.

• 时间戳:一个表示日期和时间的字符串.
• Nonce:只能使用一次的数字或字符串.
• Timestamp: a string that tells date and time.
• Nonce: a number or string which can be used only once.


来源:http://smerity.com/

我将以 Facebook 登录为例解释图表.

I will explain the diagram with Facebook login as an example.

背景.在解释图表之前，请考虑您已完成以下操作.

background. consider you have done the below, before explaining the diagram.

1. 您在 Facebook 开发者门户网站注册了一个应用.
2. Facebook 为您提供两个代码，1) secret_key 和 2) app_id
3. 您设计了一个按钮，上面写着使用 Facebook 登录.
1. You register an app with Facebook developers portal.
2. Facebook provides you two codes, 1) a secret_key and 2) an app_id
3. You designed a button which says Login with Facebook.

现在是图表.

1. 客户端请求 API 服务器.
2. API 服务器重定向到登录页面说.访问数据:请登录facebook访问页面
3. 用户点击login with Facbook 按钮，会打开一个新的弹出式OAuth 对话框.要求 Facebook 用户名和密码.
4. 用户输入他的用户名和密码，然后允许访问您的应用.身份验证服务器使用代码作为 URL 中的参数将用户重定向到您的网站.
5. API 服务器在步骤 4 中被调用，API 服务器从 URL 捕获代码.
6. API 服务器 使用提供的 client_secret
调用 auth 服务器
7. 身份验证服务器为用户返回 API 服务器的访问令牌.
8. API 服务器 向身份验证服务器询问给定访问令牌的用户信息.
9. 身份验证服务器返回有关用户、个人资料图片、电子邮件等的详细信息.
10. API 服务器识别用户，向他发送响应以及访问令牌.
11. 客户端在下一个请求时将访问令牌发送到api服务器.
12. API 服务器检查访问令牌是否有效并做出响应.
13. 当访问令牌过期时，客户端被要求重新登录.
1. Client requests the API server.
2. API server redirects to login page saying. To access the data: please login with facebook to access the page
3. User clicks on the login with Facbook button, a new popup OAuth dialog opens. asking for facebook username and password.
4. User enters his username and password, then allow access to your app. auth server redirects the user to your website with a code as parameter in URL.
5. API Server is called on the step 4, API server captures code from URL.
6. API server call auth server with the provided client_secret
7. Auth server returns to the access token for the user to the API Server.
8. API server asks auth server for user information for the given access token.
9. Auth Server returns details about user, profile pic, email etc.
10. API server identifies the user, sends him the response along with access token.
11. client sends the access token to the api server on next request.
12. API server checks if access token is valid and respond.
13. When access token is expired, client is asked to login again.

现在，这如何保护您的 API?

将需要安全的部分设置为访问它们所需的登录名.如果发出请求的客户端未登录到您的 API，请将其发送到图表的第 2 步.

Make the portions which need security as login required to access them. if the client who makes the request is not logged in to your api, send him to step 2 of the diagram.

那么什么是随机数?时间戳?

如果有人窃取了访问令牌，只要访问令牌过期，他就可以访问API 服务器.所以当用户请求一个页面时，服务器向他发送回一个存储在服务器中的随机数.客户端使用收到的随机数签署请求并完成请求.由于 nonce 只使用一次，服务器删除 nonce.当攻击者获取随机数，并向服务器发出虚假请求时，服务器拒绝该请求，因为该一次性编号已被使用而无效.

If someone steal an access token, he can get access to API server as long as the access token expires. So when the user requests a page, server sends him back a nonce which is stored in the server. the client signs the request with the recieved nonce and complete the request. as the nonce is only used once, server deletes the nonce. when an attacker grabs the nonce, and make a fake request to the server,server rejects the request as the one time number is invalid as its used already.

TimeStamp 用于标识创建令牌或随机数的时间，该时间用于在有限的时间范围(1-2 秒)内使令牌或随机数过期，即完成请求所需的时间.

TimeStamp is used identify the time the token or nonce is created which is used to expire the token or nonce in a limited time frame (1-2seconds), the time needed for a request to complete.

这篇关于什么是 OAuth，它如何保护 REST API 调用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！