授予API对Rails应用程序访问权限的最佳身份验证方法 [英] Best authentication method to grant API access to Rails app
问题描述
我想向我的Web应用程序提供经过身份验证的API访问.此类服务的使用者通常是其他网站/服务.
I would like to offer authenticated API access to my web app. The consumers of such a service are typically other web sites/services.
验证这些用户的最佳方法是什么? OAuth,openID,http身份验证?
What would be the best method of authenticating these users? OAuth, openID, http authentication?
推荐答案
在我们的工作范围中,哪个最好?"的答案如此之多.是取决于". :)
As so much in our line of work, the answer to "which is best?" is "it depends." :)
-
HTTP身份验证-如果您已经允许客户端通过ID和密码登录到服务,则可能只需要做最少的工作即可使其正常运行与您的API.如果您的API基本上是单一用途的,并且不需要详细的权限,则可以在此处相当快地完成某些工作.
HTTP Authentication - If you're already letting clients log in to your service via an ID and password, you'll probably only have to do minimal work to get this to play nicely with your API. If your API is basically mono-purpose and doesn't require detailed permissions, you can get something working fairly quickly here.
API令牌-如果您希望客户无需提供密码即可轻松进行身份验证(请考虑建立与您的API交互的服务的公司;也许是IT部门.想要开发团队知道密码等),然后将GitHub上的随机API令牌(例如GitHub)附加到用户帐户,可能是最快的方法.另外,您可以提供一种无需更改帐户密码即可重新生成API令牌的方法.
API Token - If you want clients to be able to authenticate easily without providing a password (think companies that build a service that interacts with your API; maybe the IT dept. doesn't want the dev. team knowing the passwords; etc.), then attaching a random API token à la GitHub to the user account is probably the quickest way to go. As a bonus, you can supply a method for regenerating the API token without having to change the account password.
OAuth -如果您具有多个权限或希望对客户端访问API的方式和时间进行更细粒度的控制,那么OAuth是一个不错的选择(OAuth2的使用更加容易与IMO一起使用,并支持获得访问令牌的多种方法).此外,许多语言都有库,gem等,这将使它们简化OAuth工作流程.
OAuth - If you have multiple permissions or want finer-grained control over how and when a client can access your API, OAuth is a pretty good bet (OAuth2 is much easier to work with, IMO, and supports multiple methods of obtaining an access token). Furthermore, many languages have libraries, gems, etc. that will allow them to simplify the OAuth workflow.
这篇关于授予API对Rails应用程序访问权限的最佳身份验证方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
