什么是验证点令牌上的REST服务 [英] What is the point of Authentication tokens on REST services
问题描述
什么是使用REST Web服务时使用的认证令牌,而不是通过HTTPS发送的用户名,密码,在您每次请求时间/加密的价值?
据我了解,比如OAUTH有一定的好处,因为你不需要放弃你的密码的第三方,你可以传递一个令牌就是你不想共享的用户名/ password..etc <信任的第三方/ p>
不过,比这个特殊的利益之上,我肯定不需要我的话,为什么我会用,而不是发送用户名/密码令牌每次等。
这可能是为了让生活方便客户端,它不必发送用户名/密码每次。好确定,但那么现在客户端必须记住我的令牌,给我的令牌在每次请求。因此,而不是记忆/现在发送的用户名/密码,它会做的令牌一样!因此,客户端实现code没有得到任何更少。
那么,什么是真正的价值在这里?
这真的取决于具体的方案 - 这是很难说没有更多地了解API - 但用户验证的使用是非常普遍的,你正确的,许多API并不需要(不要使用)它们。许多API只是需要一个API密钥必须与每个请求(通常通过HTTPS prevent重要信息被窃取)发送,或者需要一个API密钥识别用户,也是一个数字签名与秘密钥匙,以证明用户的身份(参见<一href=\"http://stackoverflow.com/questions/1482472/when-working-with-most-apis-why-do-they-require-two-types-of-authentication-na/1501112#1501112\">When与大多数API,为什么他们需要两种类型的身份验证,即密钥和秘密工作?)。
用户名/密码是不是经常在公共API的使用,因为他们不够灵活,不提供用户身份和应用程序的身份之间有足够的分离。例如。您注册成为开发者使用Flickr API和创建使用该API的iPhone应用程序 - 你会真的想你的开发者用户名/密码被内置到应用程序?如果以后更改您的密码是什么?如果你想开发应用5,并分别跟踪使用它们,并且能够关闭在任何时候任何应用程序,而不会影响其他人怎么办?
但是,对于你真的想只能识别一个人的用户,而不是参加办法(如私有API的后端,将只会自己的应用程序,而不是公共API),在大多数情况下我不知道的情况下看到什么错你的建议,即用户名/每个请求的密码通过HTTPS。哦,对了,身份验证令牌都被restrictable额外的好处(可以在一定的时间到期,可以限制只有特定的动作等),但显然这只是在非常特殊的情况下非常有用。
另外:由于用户的丹上述人士指出,设计需要与每个请求发送用户名/密码(或真的任何要求,哪怕它只是登录请求),要小心你如何做到这一点的API时。如果您正在使用哪些浏览器默认支持的技术(如HTTP基本验证),你是$ P $从不断暴露安全API来跨域用户(pventing自己即最有可能你的API不能被安全地直接调用从浏览器,从AJAX /闪光灯/ Silverlight的code IE)。
这是一个复杂的话题,不能完全解释在这里,但是要记住,如果你的API是依赖于任何安全证书,浏览器可以记住,然后默默,在每一个请求注入(如HTTP基本认证,饼干),那么它是不是安全,使跨域访问使用任何交叉域技术(CORS,JSONP,crossdomain.xml的,等等)的API。
What is the value of using a authentication token when using a REST webservice instead of sending a username, password over HTTPS/Encryption each time you make a request?
I understand that for instance OAUTH has some benefits cause you don't need to give away your password to 3rd parties, you can pass a token to trusted 3rd parties whom you dont want to share the username/password..etc
But other than this special benefits above which I certainly dont need in my case, why would I use tokens instead of sending username/password everytime.
This might be to make life easy for client, and it does not have to send the username/password everytime. Well ok but then now client has to remember my token and send me the token on every request. So instead of remembering/sending username/password now it will do the same for tokens! So client implementation code does not get any less.
So what is the real value here?
It really depends on the scenario - it's hard to tell without knowing more about the API - but usage of "authentication tokens" is far from universal, you're right that many APIs don't need (and don't use) them. Many APIs simply require an API key to be sent with every request (often via HTTPS to prevent it from being intercepted), or require an API key to identify the user and also a digital signature with a "secret key" to prove the user's identity (see When working with most APIs, why do they require two types of authentication, namely a key and a secret? ).
Usernames/passwords are not often used in public APIs because they're not flexible enough and do not provide enough "separation" between the user identity and the application identity. E.g. you register as a developer to use the Flickr API and create an iPhone app that uses that API - would you really want your developer username/password to be built into the app? What if you change your password later? What if you want to develop 5 apps and track usage for them separately and be able to shut off any app at any time without affecting the others?
However, for cases where you truly want to identify a human user only, not an appplication (e.g. a private API back-end that will only serve your own applications, not a public API), in most scenarios I don't see anything wrong with what you suggested, i.e. username/password over HTTPS with every request. Oh, by the way, auth tokens have the added advantage of being "restrictable" (can expire at a certain time, can be restricted to certain actions only, etc), but obviously this is only useful in very specific scenarios.
ALSO: As user "Dan" pointed out above, when designing an API that requires sending the username/password with every request (or with any request really, even if it's just the login request), be careful how you do it. If you're using a technique which browsers support by default (e.g. HTTP Basic Auth), you're preventing yourself from ever exposing the API safely to cross-domain users (i.e. most likely your API can never be safely called directly from the browser, i.e. from AJAX / Flash / Silverlight code).
This is a complex topic which can't be explained fully here, but just remember that if your API is relying on any security credentials that the browser can remember and then "silently" inject in every request (e.g. HTTP Basic Auth, cookies), then it's NOT safe to enable cross-domain access to that API using any cross-domain technique (CORS, JSONP, crossdomain.xml, etc).
这篇关于什么是验证点令牌上的REST服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
