什么是API令牌 [英] What is an API token
问题描述
我正在努力找出处理我的移动应用程序(iOS和Android)和API(PHP)的用户身份验证的最佳方法。
I'm trying to work out the best way to handle user authentication for my mobile application (iOS & Android) and API (PHP).
从什么我研究过以下选项:
From what I've researched the options are:
基本身份验证通过HTTPS - 检查用户的每个请求的用户名/密码。
Basic auth over HTTPS - Check username/password of the user for every request.
会话 - 发送每个请求的会话ID;服务器维护状态。因此,应用程序会在后续请求中为登录用户发送用户名/密码和服务器检查,就像我的网站一样。
Sessions - Send a session ID with each request; server maintains state. So app sends username/password and server checks for a logged in user on subsequent requests, just like my website does.
API令牌 - 移动设备应用程序发送用户名/密码并收回令牌,然后将此附加到后续请求。令牌存储在数据库中并检查每个请求。
API tokens - Mobile app sends username/password and receives a token back, then appends this to subsequent requests. Token stored in DB and checked on each request.
我猜我对API令牌的解释是不正确的,因为它们似乎与会话相同,因为我将会话ID存储在数据库中。
I'm guessing my explanation of API tokens is incorrect as they seem identical to sessions because I store session ID's in the DB.
- 我的API令牌解释是否可以纠正。它们适用于什么?它们与会话ID的区别如何?
- API令牌有哪些优势?
- 是oAuth(如果我们要简化其用途)创建API令牌的协议?
推荐答案
我不是专家,但我'我会给你几分钱:
I'm no expert but I'll give you a couple of cents I've picked up:
1)API代币是一个通用术语。通常,API令牌是请求访问您的服务的应用程序的唯一标识符。您的服务将为应用程序生成API令牌,以便在请求您的服务时使用。然后,您可以将它们提供的令牌与您存储的令牌进行匹配以进行身份验证。
1) API Tokens is a bit of a general term. Usually an API token is a unique identifier of an application requesting access to your service. Your service would generate an API token for the application to use when requesting your service. You can then match the token they provide to the one you store in order to authenticate.
可以使用会话ID,但其目的与API令牌不同。会话ID不是身份验证的形式,而是授权的结果。通常,一旦用户被授权使用资源(例如您的服务),就会建立会话。因此,当授予用户对资源的访问权限时,将创建会话ID。 API令牌是一种类似于用户名/密码的身份验证形式。
A session id can be used but its purpose is different to the API token. The session id is not a form of authentication but rather a result of authorisation. Typically a session is established once a user has been authorised to use a resource (such as your service). Therefore a session id is created when a user is granted access to a resource. An API token is the form of authentication similar to a username/password.
2)API令牌可替代通过HTTP发送一些不安全的用户名/密码组合。但是问题仍然存在,有人可以采取并使用API令牌。
2) API tokens are a replacement to sending some username/password combination over HTTP which is not secure. However the problem still exists that someone could take and use the API token instead.
3)在某种程度上是的。这是一种保持API令牌新鲜的方法。您想要使用服务时,不是传递相同的API令牌,而是请求访问令牌。 OAuth 2.0步骤如下:
a)使用某种凭据发送到服务的请求
b)成功响应返回一个代码
c)另一个服务请求是使用代码
d)成功的响应返回访问权限用于签署每个API请求的令牌,直到完成。
3) In a way yes. It's a method for keeping API tokens "fresh". Instead of passing around the same API token you request an access token when you want to use a service. The OAuth 2.0 steps are as follows:
a) Request sent to service with credentials of some kind
b) Successful response returns a code
c) Another request to service is made with the code
d) Successful response returns the access token for signing each API request from then until finish.
许多较大的服务提供商目前使用OAuth 2.0。它不是一个完美的解决方案,但它可能是目前使用的最安全,最广泛的API安全方法。
A lot of the bigger service providers use OAuth 2.0 at the moment. It's not a perfect solution but it's probably the most secure, wide-spread, API security method used at the moment.
这篇关于什么是API令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
