创建令牌系统进行身份验证Web服务调用的最佳方式？ [英] Best way to create a TOKEN system to authenticate web service calls?

问题描述

我想创建一个Web服务架构，可以通过各种平台被称为如移动设备，应用程序的WinForms，iPhone，黑莓，你的名字。因此，与像WCF和wsHttp将结合可能杀死这一点，我需要降级到basicHttp兼容性结合。

I'd like to create a web service architecture that can be called by various platforms such as mobile devices, winforms applications, iphone, blackberry, you name it. So going with something like WCF and wsHttp binding probably kills this and I would need to downgrade to a basicHttp binding for compatibility.

随着中说，我需要一个系统生成的初始登录（认证）令牌，然后使用该令牌随后所有的电话，我想，以验证认证并允许方法来执行。

With that said, I need a system to generate a token on initial login (authentication) and then use this token for all subsequent calls, I guess, to validate the authentication and allow the method to execute.

任何人有如何去这个提示或建议？ 1）生成令牌，什么是涉及安全令牌？ 2）有多长，一些用户可能会使用他们的申请时间和令牌好甚至可能休眠自己的电脑

Anyone have tips or suggestions on how to go about this? 1) Generate a token and what's involved in a secure token? 2) How long is the token good for, some users may use their application for hours and possibly even "sleep" their computer

感谢您的意见。

推荐答案

如果你只使用一个令牌，该令牌被首次认证服务器发出，如果它的拦截可以用于任何请求。你唯一的防御是到期时间。

If you're only using one token which is given by the server on the initial authentication, it can be used for any request if it's intercepted. Your only defense is the expiration time.

除此之外，它取决于你的实施选项是什么。

Beyond that, it depends on what your implementation options are.

一个更安全的系统是一个时间戳（也可能是一个随机数）添加到每个请求，签署，并包括与每个请求。它要求客户端处理身份验证凭据，知道签约实施，标志牌每个请求。

A more secure system is to add a timestamp (and possibly a nonce) to each request, sign that, and include that with each request. It requires that the client handles the authentication credentials, knows the signing implementation, and signs each request.

您可以交替让服务器与每个请求（可以通过OpenID来完成）认证或交出了一些令牌和需要更多的时候重新认证（可以通过OAuth做）的。如果客户端可以存储凭证，这些可以是对用户不可见。这些都是比较复杂的，需要加密传输，如SSL进行一些互动，并能讲HTTP重定向和处理Cookie或其他存储状态的客户端。客户端就不必知道如何注册，但如果你能做到SSL，你可能不需要复杂性摆在首位。

You could alternately have the server authenticate with each request (which could be done with OpenID) or hand out a number of tokens and re-authenticate when more are needed (which could be done with OAuth). If the client can store credentials, these can be invisible to the user. These are more complex, requiring an encrypted transport such as SSL for some of the interactions, and a client which can speak HTTP redirects and handle cookies or other stored state. The client wouldn't have to know how to sign, but if you can do SSL, you probably don't need the complexity in the first place.

如果你并不需要成为客户端无关，你可能要签名的请求。

If you don't need to be client-agnostic, you probably want to sign requests.

有关签署实施，示例和库，看看亚马逊Web服务的OpenID，OAuth的或

For signing implementations, examples, and libraries, look at Amazon Web Services, OpenID, or OAuth.

关于令牌到期时间，它取决于你的需求。更长的使用寿命令牌窗口增加重放攻击。一个随机数，使令牌单次使用，但需要在服务器上的多个国家。

Regarding the token expiration time, it depends on your needs. A longer token life increases the window replay attacks. A nonce makes a token single-use, but requires more state on the server.

这篇关于创建令牌系统进行身份验证Web服务调用的最佳方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！