REST Web服务和API密钥 [英] REST web service and API keys

问题描述

我有一个向用户提供的Web服务，可以利用我的应用程序数据库并获取一些信息.用户必须注册一个API密钥，并在发出请求时提供该密钥.一切正常，但是我该如何检查注册密钥的用户是否实际上是在发出请求，而不是向他提供密钥的其他人呢?

I have a web service I'm offering to users to tap into my applications database and get some info. Users have to register for an API key and provide that when making requests. Everything works fine but how do I check if the users who registered for a key is actually making the request and not somebody else who he might have given the key to?

最近两天我一直在想出一个解决方案，但到目前为止还没有.

I've been thinking for the last two days to come up with a solution but nothing so far.

推荐答案

您需要使用已签名的请求.基本上是这样的:

You need to use signed requests. Basically it works like that:

• 您给用户一个API密钥 和一个只有您和客户才知道的秘密"(随机字符串).
• 每当他们发出请求时，便会向其添加一个签名"参数.此签名基本上是请求参数+ API密钥+其他参数(如下所示)+机密的散列.
• 由于您也知道秘密，因此可以验证签名是正确的.

• You give your user an API key and a "secret" (a random string) that only you and the client know.
• Whenever they make a request, they add a "signature" parameter to it. This signature is basically a hash of the request parameters + the API key + other parameters (see below) + the secret.
• Since you know the secret too, you can verify that the signature is correct.

为避免重播攻击，您还可以在混音中添加随机数和时间戳.随机数只是一个数字，客户端必须在每次请求时对其进行递增.收到请求后，请检查您之前是否已收到此随机数/时间戳.如果您这样做了，则您拒绝该请求(因为它很可能是重播攻击).如果不是，则将现时/时间戳记存储在数据库中，以便以后查找.

To avoid replay attacks, you can also add nonces and timestamps into the mix. A nonce is simply a number that must be incremented by the client on each request. When you get the request, you check if you've already received this nonce/timestamp before. If you did, you reject the request (because it's most likely a replay attack). If not, you store the nonce/timestamp in your database so that you can look it up later on.

这或多或少是在 OAuth 中签名的方式.在链接中查看他们的示例.

This is more or less how requests are signed in OAuth. Have a look at their example in the link.

这篇关于REST Web服务和API密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！