API设计:HTTP基本身份验证与API令牌 [英] API Design: HTTP Basic Authentication vs API Token

问题描述

我目前正在针对Web应用程序在公共Web API上创建一个身份验证系统.鉴于每个用户帐户都有一个API密钥，并且每个请求都必须经过身份验证，所以我有两种选择:

I'm currently creating an authentication system on front of a public web API for a web application. Given that each user account has an API key and each request must be authenticated, I have two alternatives:

1. 像GitHub一样，使用HTTP基本身份验证， .

请求必须发送到URL

Requests must be sent to the URL

http://api.example.com/resource/id
with basic authentication
username: token
password: the api key

将API令牌作为查询字符串参数传递.

Passing the API Token as querystring parameter.

请求必须发送到URL

Requests must be sent to the URL

http://api.example.com/resource/id?token=api_key

还有第三个选择，它是在URI中传递令牌，但老实说，我不喜欢这种解决方案.

There's also a third option which is passing the token within the URI, but I honestly don't like that solution.

您将采用哪种解决方案，为什么?

Which solution would you adopt and why?

推荐答案

我认为HTTP Basic Auth应该可以，但仅用于非常简单的需求.

I think that HTTP Basic Auth should be OK but just for really simple needs.

恕我直言，完整(也是最终)的解决方案是实施 OAuth 提供程序. 它并不复杂，它是一个简单的协议，并为您提供了很大的灵活性. 此外，这似乎是当前的趋势，因为许多大型企业都在实施它，并且许多库都对此提供了支持.

The complete (and final) solution IMHO is to implement an OAuth provider. It's not complex, it's a simple protocol and gives you lots of flexibility. In addition it seems to be the current trend as many big players implement it and it's supported from many many libraries.

这篇关于API设计:HTTP基本身份验证与API令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！