什么是OAuth的，它是如何确保REST API调用？ [英] What is OAuth and how does it secure REST API calls?

问题描述

我有打我的服务器没有任何标志或安全mechanisam移动应用程序的REST API调用。

我要保护我的API调用。我想了解什么是OAuth的，它会如何保护这是打我的服务器我的移动应用程序的REST API调用？

此外，我想在对以下领域这是在使用OAuth的细节就知道了。从那里我会得到下面的字段。

 消费重点
消费者揭秘
象征
令牌秘密
时间戳
杜撰
 

解决方案

由于大多数供应商使用OAuth 2.0和OAuth 1.0已经由主要供应商pcated德$ P $，我将解释OAuth2.0的

什么是OAuth的？

OAuth是一个开放的标准授权，常用的方式为互联网用户使用自己的微软，谷歌，Facebook，微博，一个网络账户等不暴露其密码登录到第三方网站。

您可以实现自己的OAuth服务器，我在这里解释有关社会权威性。所以长期的OAuth后，这里指的是通过OAuth社会AUTH。

  

在通俗地说，OAuth的，用户可以登录到Web服务，帐户（Facebook，谷歌等）。

术语

• 客户端：您的API的用户


• 资源所有者（API服务器）：您的API


• 授权服务器（auth服务器）：的Facebook /谷歌等认证服务器


• 授授权：按您授权用户的方式。我们使用授权code在这里。


• 授权code：：一种code。该auth服务器返回到可在API服务器的访问令牌交换客户端


• 访问令牌：标识用户的字符串，通常有到期期限


• 消费者键或APP_ID：使用auth服务器，以确定您的应用程序中的公共密钥


• 消费者秘密或APP_SECRET：应予以保密的私有密钥

以下条款无关使用OAuth但使用OAuth用来使它更安全。

• 时间戳：告诉日期和时间的字符串


• 随机数：可以只使用一次一个数字或字符串

来源： http://smerity.com/

我将解释作为一个例子用Facebook登录的示意图。

背景。
考虑你做了下面的解释图前。

1. 您注册Facebook开发门户网站的应用程序。


2. Facebook提供你们两个codeS，1） SECRET_KEY 2）的 APP_ID


3. 您设计了一个按钮，这表示与Facebook 登录。



现在的图。

1. 客户端请求的API服务器。


2. API服务器重定向到登录页面的说法。 来访问数据：请用Facebook登录访问页


3. 在与Facbook的登陆用户点击按钮，一个新的弹出的OAuth对话框打开。要求Facebook的用户名和密码。


4. 用户输入自己的用户名和密码，就可以访问你的应用程序。 auth服务器将用户重定向到您的网站以code。用在URL参数。


5. API服务器被称为在第4步 API服务器捕捉来自URL code。


6. API服务器拨打 auth服务器与所提供的 client_secret


7. 验证服务器返回访问令牌为用户的API服务器。


8. API服务器问 auth服务器为给定的访问令牌。
用户信息

9. Auth服务器返回有关用户的个人资料图片，电子邮件等详细信息


10. API服务器标识用户，送他与访问令牌一起响应。


11. 客户端发送访问令牌的 API服务器在一个请求。


12. API服务器检查访问令牌是有效的回应。


13. 在当前访问令牌已过期，客户端被要求重新登录。

现在，这是如何保护您的API？

请按要求登录访问它们这就需要安全性的部分。如果谁发出请求客户端没有登录到您的API，送他去步图2。

那么，什么是随机数？时间戳？

如果有人偷访问令牌，他可以访问的 API服务器只要访问令牌到期。因此，当用户请求一个页面，服务器发送他回其存储在服务器中的随机数。客户须与现​​时收到的请求和完成请求。作为随机数只使用一次，服务器删除该随机数。当攻击者抓住随机数，并进行假请求给服务器，服务器将拒绝其已经用作一次性号码的请求是无效的。

时间戳用于确定用来到期在有限的时间帧令牌或现时值（1-2seconds）令牌或随机数在创建时间，需要完成的请求的时间。

I have mobile application REST API calls which hits to my server without any token or security mechanisam.

I want to secure my API calls. I am trying to understand what is OAuth and how it will secure my mobile app REST API calls which are hitting to my server?

Also I want to know in details about the below fields which are used in OAuth . From where I will get below fields.

Consumer Key
Consumer Secret
Token
Token Secret
Timestamp
Nonce

解决方案

Since most of providers use OAuth 2.0 and OAuth 1.0 has been deprecated by major providers, I will explain OAuth2.0

What is OAuth?

OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.

you can implement your own OAuth server, here I am explaining about social auth. so the term OAuth here after refers to social auth with OAuth.

In layman's terms, OAuth lets users login to your web service with accounts(Facebook, Google etc).

Terminology:

• client: The user of your API.
• Resource Owner (api server): Your API
• Authorization Server (auth server): Facebook/Google etc auth server.
• Authorization grant: the method by which you authorize a user. we are using Authorization code here.
• Authorization code: A code that the auth server returns to the client which can be exchanged for an access token at the api server.
• Access Token: A string that identifies a user, usually comes with an expiry period.
• Consumer Key or APP_ID: a public key used by auth server to identify your application.
• Consumer Secret or APP_SECRET: a private key which should be kept confidential.

the below terms has nothing to do with OAuth but are used with OAuth to make it more secure.

• Timestamp: a string that tells date and time.
• Nonce: a number or string which can be used only once.

source: http://smerity.com/

I will explain the diagram with Facebook login as an example.

background. consider you have done the below, before explaining the diagram.

1. You register an app with Facebook developers portal.
2. Facebook provides you two codes, 1) a secret_key and 2) an app_id
3. You designed a button which says Login with Facebook.

now the diagram.

1. Client requests the API server.
2. API server redirects to login page saying. To access the data: please login with facebook to access the page
3. User clicks on the login with Facbook button, a new popup OAuth dialog opens. asking for facebook username and password.
4. User enters his username and password, then allow access to your app. auth server redirects the user to your website with a code as parameter in URL.
5. API Server is called on the step 4, API server captures code from URL.
6. API server call auth server with the provided client_secret
7. Auth server returns to the access token for the user to the API Server.
8. API server asks auth server for user information for the given access token.
9. Auth Server returns details about user, profile pic, email etc.
10. API server identifies the user, sends him the response along with access token.
11. client sends the access token to the api server on next request.
12. API server checks if access token is valid and respond.
13. When access token is expired, client is asked to login again.

Now, How does this secure your api?

Make the portions which need security as login required to access them. if the client who makes the request is not logged in to your api, send him to step 2 of the diagram.

So what is nonce? timestamp?

If someone steal an access token, he can get access to API server as long as the access token expires. So when the user requests a page, server sends him back a nonce which is stored in the server. the client signs the request with the recieved nonce and complete the request. as the nonce is only used once, server deletes the nonce. when an attacker grabs the nonce, and make a fake request to the server,server rejects the request as the one time number is invalid as its used already.

TimeStamp is used identify the time the token or nonce is created which is used to expire the token or nonce in a limited time frame (1-2seconds), the time needed for a request to complete.

这篇关于什么是OAuth的，它是如何确保REST API调用？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！