保护我的公共oauth API免受滥用,但允许从我的应用程序进行匿名访问? [英] Protect my public oauth API from abuse, but allow anonymous access from my app?
问题描述
我有一个网站和一个API.该网站允许匿名人员浏览目录,但您必须先登录才能发布内容.
I have a website and an API. The website allows anonymous people to browse the catalogue, but you must be logged in to post stuff.
我已经构建了一个暴露相同功能的API.该API被我们正在开发的移动应用使用,但我们还将允许其他开发人员使用该API(即已公开记录).整个API当前需要OAuth(2.0)身份验证.为了防止滥用,我们对每个OAuth客户端ID/用户ID组合使用了速率限制.
I have built an API that exposes the same functionality. The API is used by a mobile app we are developing, but we are also going to allow other developers to use the API (i.e. it's publicly documented). The entire API is currently requires OAuth (2.0) authentication. To prevent abuse we use rate-limiting per OAuth client-id/user-id combination.
现在对移动应用程序提出了新要求:该应用程序应允许匿名用户浏览我们的目录.我不确定如何实现这一点,而又不会开放我们的API以供滥用.
Now a new requirement for the mobile app has come down: The app should allow anonymous users to browse our catalogue. I am not sure how to implement this, without opening up our API to abuse.
第一个问题是允许匿名访问.如果我们仍然希望整个API受OAuth保护,那么我们的移动应用将必须使用客户端证书授予类型(发布客户端ID和密钥).但是我们必须将客户端ID和密码存储在应用程序本身中.这是不安全的,因为它很容易进行逆向工程.
The first problem is allowing anonymous access. If we still want the entire API protected by OAuth then our mobile app will have to use the client-credentials grant type (posting a client-id and secret key). But we would have to store the client-id and secret in the app itself. This is not secure since it can easily be reverse engineered.
或者,我们可以使用动态客户端注册.一旦安装了应用程序,它就会向一个(未公开说明的)API注册以为其自身创建一个OAuth客户端.问题是,如何保护客户端注册端点?又是一个秘密钥匙?此外,这会导致注册大量OAuth客户端.
Alternatively, we could use dynamic client registration. As soon as an app is installed, it registers with an (undocumented) API to create an OAuth client for itself. Problem here is, how do I protect the client registration endpoint? A secret key again? Plus, this leads to a large amount of OAuth clients registered.
或者,我们可以一起从公共端点中删除OAuth(即浏览目录),而只需要OAuth发布内容或管理帐户即可.但是我该如何保护API免受滥用呢?没有OAuth,我将无法基于客户端ID进行速率限制.
Alternatively, we could remove OAuth from the public endpoints all together (i.e. browsing the catalogue) and only require OAuth for posting stuff or managing an account. But how would I protect the API from abuse then? Without OAuth I cannot rate-limit based on client-id.
我不确定基于IP地址的速率限制是否会起作用.我们期望有许多移动应用程序用户,而且我担心糟糕的(摩洛哥)移动电信提供商正在将NAT路由到仅几个IP地址后面的大量电话用户.这将很快耗尽我们设置的任何速率限制.
I am not sure that rate-limiting based on IP address would work. We expect many mobile app users and I fear that crappy (Moroccan) mobile telecom providers are NAT-ing a large amount of phone users behind just a few IP addresses. This would quickly exhaust any rate-limit that we set.
这是正确的吗?还是可以安全地限制移动用户的IP地址?
Is this correct? Or can I safely rate-limit on IP address for mobile users?
我还可以与OAuth一起实现不同的身份验证机制.允许我们的手机应用程序访问API的东西,该API可以区分(和限速)不同的手机/用户,但对于仅从我们的移动应用程序二进制文件中提取共享密钥的人们来说是安全的.
I could also implement a different authentication mechanism alongside OAuth. Something that allows our mobile phone app access to the API, which can distinguish (and rate-limit) different phones/users but which is safe from people just extracting a shared secret key from our mobile app binary.
关于如何允许匿名访问我的API但仍然有效地限制速率的任何建议吗?
Any suggestions on how to allow anonymous access to my API but still rate-limit effectively?
推荐答案
由于移动应用程序已安装在设备上,因此,如果您配置了密码,则该密码对于移动应用程序的所有安装都是通用的.因此,破坏秘密的目的.
Since, the mobile app is installed on a device, if you configure a secret, then that secret will be common for all installations of the mobile app. Thus, derailing the purpose of a secret.
您应该进行动态注册.这是步骤
You should do dynamic registration. Here are the steps
- 开发人员使用受信任的权限预先配置以下信息.
{
"software_id":"COMMON_VALUE_HERE",
"software_version": "OPTIONAL_BUILD_VERSION",
"client_name":"HUMAN_READABLE_CLIENT_NAME",
"client_uri":"OPTIONAL_FOR_CLIENT_CREDENTIALS",
"logo_uri":"OPTIONAL_FOR_CLIENT_CREDENTIALS",
"tos_uri":"OPTIONAL_TERMS_OF_USE"
}
-
受信任的机构会交换开发人员提供的信息来生成"software_statement".其中包含对于本机应用程序的所有安装而言恒定的信息.
The trusted authority generates a "software_statement" in exchange of the information that the developer provided. This contains the information that is constant for all installations of the native app.
在用户设备上安装应用程序后,该应用程序与授权服务器联系以进行动态注册.该应用将以下内容发布到授权服务器
After the app is installed on the user device, the app contacts the Authorization server for dynamic registration. The app posts the following to Authorization server
{
"redirect_uri" : "OPTIONAL_FOR_CLIENT_CREDENTIALS",
"scope": "SPACE SEPARATED SCOPES",
"software_statement": "MANDATORY"
}
-
授权服务器验证"software_statement"中存在的信息,生成并返回特定于特定软件安装的"client_id"和"client_secret".
The Authorization server verifies the information present in the "software_statement", generates and returns back a "client_id" and "client_secret" that are specific to the particular installation of software.
客户端使用新接收到的"client_id"和"client_secret"在令牌端点上调用"POST"方法,并接收"access_token".
The client calls "POST" method on token endpoint with the newly received "client_id" and "client_secret", and receives an "access_token".
客户端使用"access_token"访问"protected_resource".
The client uses the "access_token" for accessing the "protected_resource".
我的回答来源是曼宁(Manning)出版的"oauth 2 in action".
The source of my answer is "oauth 2 in action" by Manning publication.
这篇关于保护我的公共oauth API免受滥用,但允许从我的应用程序进行匿名访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
