无状态RESTful API和第三方认证 [英] Stateless RESTful API and 3rd party authentication

问题描述

我想使用第三方身份验证(OpenID，也许是OAuth，但我想OAuth是用于授权)，以便用户可以轻松登录.

I want to use 3rd party authentication (OpenID, maybe OAuth but I guess OAuth is meant for authorization) so that user can login easily.

但是，即使不需要任何东西，对每个请求进行身份验证是否也意味着我多次致电第三方(例如Google)?例如，我使用OpenID身份验证，但是我使用的API是内部的(例如/api/tasks/add).

But does authenticating on every request means I call the 3rd party (eg. Google) many times even if I don't need any thing from it? For example, I use OpenID authentication but the API I use is something internal (eg. /api/tasks/add).

推荐答案

让我们先了解问题. OpenID和OAuth有点不同.有一种简单的方法可以记住不同的内容:

Let's fix understanding issues first. OpenID and OAuth are a bit different. There is a simple way to memorize that different:

• OpenID适用于人类.一个简单的例子:您想跳过无聊的注册步骤，让用户重用现有帐户.
• OAuth适用于服务/机器人.一个简单的例子:您希望您的脚本使用某些用户的数据访问外部API.

维基百科提供了一个简单的解释:

There is a simple explanation provided by wikipedia:

请注意，对于OpenID，该过程始于应用程序询问 用户的身份(通常是openid URI)，而在用户 如果是OAuth，则应用程序直接请求受限访问 OAuth令牌(代币密钥)，用于访问用户的API(进入房屋) 代表.如果用户可以授予该访问权限，则应用程序可以 检索用于建立配置文件(身份)的唯一标识符 使用API​​.

Note that with OpenID, the process starts with the application asking the user for their identity (typically an openid URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

所以I want to use 3rd party authentication ... that user can login easily.可能意味着您将使用OpenID.

So I want to use 3rd party authentication ... that user can login easily. would probably mean you are going to use OpenID.

回答您的问题:您无需根据任何请求调用任何第三方服务.这将是非常低效且缓慢的. OpenID提供程序将返回用户的凭据，您可以使用.

Answering your question: you do not need to call any third-party services on any request. It will be very inefficient and slow. OpenID provider will return user's credentials and you are good to go.

请确保您已正确识别要求.

Please make sure you have identified requirements correctly.

这篇关于无状态RESTful API和第三方认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！