适用于web应用程序使用的python REST API的身份验证类 [英] Appropriate choice of authentication class for python REST API used by web app
问题描述
不幸的是,我找到了列在说明文件有点混乱。看起来像 TokenAuthentication 将满足我的需要。我宁愿避免OAuth的认知开销,除非有一个令人信服的安全理由去这样。
这是一个决定,我想在这个早期阶段。任何人都可以提供任何建议?
编辑:虽然希望不相关,我以为我会提到我会使用Neo4j作为应用程序的后端,而不是一个常规的SQL数据库。
Django REST框架使您具有多种身份验证方法的灵活性。由于我有一段时间,对于有类似问题的未来访客来说,这将是有用的,我将概述最常见的身份验证方法的优点。
最初,其客户端将是一个Web应用程序,但可以想象未来的客户端可能包括移动应用程序。
通常在工作时使用与API相同的域和Django实例的Web应用程序,大多数人使用现有身份验证方法与服务器进行交互时使用 SessionAuthentication 。认证工作无缝,所以你不需要经历第二个认证步骤。
大多数API还支持某些形式的 BasicAuthentication ,最有可能是因为它是最简单的测试,也是因为它是最简单的实现。对于您的Web应用程序,这不是推荐的身份验证方法,但对于您的移动应用程序,看到它被使用并不罕见。我个人建议使用基于令牌的身份验证,因此您不必担心客户端拦截用户的凭据。
它看起来像
TokenAuthentication将满足我的需要。
许多人使用 TokenAuthentication 因为它比较容易理解和使用,而且似乎首先满足了大家的需求。令牌直接附加到用户,并且它们不会自动旋转(虽然您可以使其自动旋转),因此每个客户端代表用户工作得到相同的标记。如果您需要撤销该令牌,这可能是一个问题,因为所有其他客户端也将使其令牌无效。
我会而是避免OAuth的认知开销,除非有一个引人注目的安全理由去这样做。
OAuth 2( OAuth2Authentication )使您在令牌轮换和令牌到期之前,除了 TokenAuthentication 的好处之外。还有一个好处是可以撤销个别的令牌,而不会影响到为用户进行身份验证的其他客户端。您还可以通过使用范围将客户端限制在API的各个区域,如果API的某些特定区域比其他区域更经常使用,这将非常有用。
我还要提到 JSON网络令牌,因为当我没有使用它时,它在支持渠道中显示了很多。它非常类似于 TokenAuthentication 到检索令牌,但它具有独特的令牌为客户端和令牌到期的额外的好处。
I would like build a REST API using the Django REST framework. Initially its client would be a web application, but conceivably future clients could include mobile applications.
Unfortunately I'm finding the list of authentication classes listed in the documentation a little confusing. It looks like TokenAuthentication would meet my needs. I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.
This is a decision I want to get right at this very early stage. Can anyone provide any advice?
Edit: Although hopefully not relevant, I thought I'd mention I'll be using Neo4j as a back-end for the application, not a conventional SQL database.
Django REST Framework gives you the flexibility of having multiple authentication methods. Since I've got some time, and it will be useful to future visitors who have similar questions, I'll outline the benefits of the most common authentication methods.
Initially its client would be a web application, but conceivably future clients could include mobile applications.
Typically when working with web applications that are on the same domain and Django instance as the API, most people use SessionAuthentication as it interacts with the server using the existing authentication methods. Authentication works seamlessly, so you don't need to go through the second authentication step.
Most APIs also support some form of BasicAuthentication, most likely because it is the easiest to test with but also because it is the easiest to implement. For your web application, this isn't the recommended authentication method, but for your mobile application it's not uncommon to see it being used. I personally would recommend a token-based authentication, so you don't have to worry about clients intercepting user's credentials.
It looks like
TokenAuthenticationwould meet my needs.
Many people use TokenAuthentication because it is relatively simple to understand and use, and it seems to meet everyone's needs at first. Tokens are directly attached to users, and they do not automatically rotate (though you can make them automatically rotate), so every client working on behalf of the user gets the same token. This can be an issue if you ever need to revoke the token, as all other clients will have their token invalidated as well.
I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.
OAuth 2 (OAuth2Authentication) gives you token rotation and token expiration on top of the benefits of TokenAuthentication. There's also the benefit of being able to revoke individual tokens without affecting other clients who are authenticating for the user. You can also limit clients to individual areas of your API through the use of scopes, which is useful if you have certain areas of the API that are more often used than others.
I'm also going to mention JSON Web Tokens, because while I haven't used it, it's been showing up quite a bit in the support channels. It works very similar to TokenAuthentication as far as retrieving tokens, but it has the added benefit of unique tokens for clients and token expiration.
这篇关于适用于web应用程序使用的python REST API的身份验证类的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
