没有用户身份验证的安全REST API(无凭据) [英] Secure REST API without user authentification (no credentials)

问题描述

关于如何在不经过用户身份验证的情况下保护REST API的问题，我已经进行了2天的努力.

I've been struggling for 2 days now on how to secure a REST API without user authentification.

这是什么意思?

在AngularJS应用程序中，我通过将GET请求发送到必须使用的现有服务(companydomain/userinfo)来识别用户.我不确定这是如何工作的，因为我不是这段代码的作者，但重点是我在响应中以JSON(活动目录名，公司电话...)获取了有关用户的信息.

In my AngularJS application I identify an user by sending a GET request to an existing service (companydomain/userinfo) which I must use. I'm not sure how this work since I am not the author of this piece of code but the point is that I get the information about the user in the response as JSON (active directory name, phone in the company...).

这就是我要识别用户的全部内容.

This is all I have to identify an user.

我做什么

现在，我发现了很多有关OAuth，唯一令牌等的资源，但似乎与我的问题不符.我实现了令牌系统，但由于无法确定请求者的真实性，因此它毫无用处.

Now, I found a lot of resources talking about OAuth, unique token, etc. but nothing seems to match with my issue. I implemented a token system but it's plain useless since I can't be sure of the authenticity of the requester.

1. 用户打开应用程序.应用程序向服务询问有关用户的信息. companydomain/userinfo
2. 应用程序根据返回的信息向服务器请求令牌(nodejs& express). /api/token/get/{user_info}
3. 服务器生成一个唯一的令牌，并将其与到期日期和所有者一起存储在内存中.服务器还会在授权用户"表中签入该用户是否存在(基于活动目录名称)，如果没有，则向其中添加新条目.
4. 应用程序将令牌与每个请求一起发送给API. /api/entry/delete/{entry_id}

1. User open the application. Application ask the service about the information related to the user. companydomain/userinfo
2. Application request a token to the server (nodejs & express), based on the information returned. /api/token/get/{user_info}
3. Server generates an unique token and store it in memory with expiration date and owner. The server also check in the table "authorized users" if the user exists (based on the active directory name), if not a new entry is added to it.
4. Application send the token along each request to the API. /api/entry/delete/{entry_id}

我认为您在这里看到了什么地方出了问题，攻击者可以轻松地向API提出已损坏的请求以获取合法令牌.所以我的问题是:

I think you see what is wrong here, an attacker could easily make a corrupted request to the API to get a legit token. So my question is :

由于用户不使用凭据进行身份验证，我该如何保护我的API?

我希望我的问题很清楚，并且在这一点上，我什至不确定如果不添加凭证系统就可以解决这个问题.

I hope my question is clear enough and at this point I am not even sure I can get around this issue without adding a credentials system.

推荐答案

由于您说用户信息端点返回了活动目录名，所以我假设您使用的是Windows平台.

Because you say that the user info endpoint returns active directory name, I assume you're on the Windows platform.

如果是这样，为什么不使用 Windows集成身份验证( Kerberos )来对用户进行身份验证而不要求他们提供凭据?这仅在您的活动目录域中有效，但对您的服务完全透明.

If so, why not use Windows integrated authentication (Kerberos) to authenticate your users without asking them for credentials? This will only work within your active directory domain, but is completely transparent to your service.

您仍然可以调用用户信息终结点，并验证返回的信息是否与调用REST服务的用户相同.

You can still call the user info endpoint and verify that the info it returns is for the same user that is calling your REST service.

如果需要调用不支持Windows集成身份验证的服务，则可以生成安全性令牌(签名以保证完整性)，并使其他服务信任此令牌.

If you need to call services that do not support Windows integrated auth, you could generate a security token (sign it to guarantee integrity) and make the other services trust this token.

这篇关于没有用户身份验证的安全REST API(无凭据)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！