OAuth(访问令牌)与API密钥 [英] OAuth (Access Token) Vs API Key
问题描述
我遇到了很多文章,很多人建议使用OAuth over API Key.据我了解,在OAuth中,我们最终将获得访问令牌,并且该令牌有效期为许多天.一个示例是QuickBooks在线OAuth令牌有效期为6个月.
I have came across lots of articles and many suggesting to use OAuth over API Key. From my understanding, in OAuth, we are finally getting access token and it is valid for many days. One example is, QuickBooks online OAuth token is valid for 6 months.
因此,访问令牌等效于API密钥.谁得到它,都应该像API密钥一样确保它的安全.并且OAuth调用应通过HTTPS进行,类似于基于API密钥的调用.
So, access token is equivalent to API Key. Whoever gets it, should have it secure similar like API Keys. And OAuth calls should be made via HTTPS similar to API Key based calls.
与OAuth相比的另一个优势是授权.但是我们可以使用API Key模型来做同样的事情.例如,我们可以在数据库中定义规则,例如这些 API密钥可以访问这些 API .
Another advantage over OAuth is Authorization. But we can do the same with API Key model. For example, we can define rules in our database like these API keys can access these APIs.
现在,OAuth的真正优势是什么?如果我们实现OAuth,则必须要求所有客户端在其服务器上安装OAuth支持库.对于他们和我们来说,这都是一项复杂的任务.而在API密钥模型中,它是一个简单的Web调用,没有其他附加的库和复杂性.
Now, What is the real advantage of OAuth? If we implement OAuth, we have to ask all our clients to install OAuth supporting libraries in their server. And it is a complex task for them and also for us. Whereas in API Key model it is a simple web call with no other additional libraries and complexities.
我的目的只是为了更好地了解OAuth,而不是比较&与API密钥模型争论.
My intention is just to understand OAuth better and not compare & argue with API Key model.
注意:
我不是在说Google& LinkedIn类型的模型,用户必须查看和授予权限.我只是在谈论我们提供给自己的客户的API.
Note:
I'm not talking about Google & LinkedIn kind of model where users have to see and give permissions. I'm just talking about APIs that we provide to our own customers.
谢谢您的帮助.
推荐答案
仅当您希望允许服务的用户允许第三方客户端应用程序访问其服务中托管的数据时,才需要OAuth向应用程序显示其凭据(ID和密码).
You need OAuth only when you want to enable a user of your service to allow a third-party client application to access his/her data hosted in your service without revealing his/her credentials (ID & password) to the application.
这是一对API密钥& API秘密可以做的就是对客户端应用程序进行身份验证.如果您可以允许经过身份验证的客户端应用程序在未经用户明确同意的情况下访问用户数据,则不必使用OAuth.
What a pair of API key & API secret can do is just authentication of a client application. If it is okay for you to allow an authenticated client application to access a user's data without explicit consent by the user, you don't have to use OAuth.
这篇关于OAuth(访问令牌)与API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
