我应该在后端还是前端进行第三方API调用? [英] Should I make 3rd party API calls in backend or frontend?
问题描述
我有一个API,该API需要来自Microsft Graph API的一些数据.我当时正在考虑在我的API中实现一个端点,以刷新令牌并使用该令牌从前端进行调用.我不知道这是最佳选择还是安全选择,因此是我的问题.
I have an API and that API needs some data from the Microsft Graph API. I was thinking of implementing an endpoint in my API to refresh the token and use that token to make calls from the frontend. I don't know if that's optimal or safe, hence my question.
为了更好地了解我所拥有的,这就是我目前的逻辑.请告诉我这是否正确.
EDIT 1: To give a better perspective of what I have, this is the logic I have at the moment. Tell me if this is correct please.
用户请求我的API的授权终结点,该终结点具有Azure的秘密密钥,然后将用户重定向到Microsft oAuth登录页面.登录oAuth后,Microsoft会将用户重定向到我的API,它将JWT令牌保存在用户的Cookie中,以便用户可以随时刷新令牌.
User requests my API's authorization endpoint, which has the Azure's secret key, then the user is redirected to the Microsft oAuth login page. Once logged in oAuth, Microsoft redirects the user to my API, where it saves the JWT tokens in the user's cookies, so the user can refresh the token anytime.
为了刷新令牌,用户只需简单地调用myapi.com/auth/microsoft/token即可,它具有密钥,然后刷新.
In order to refresh the token, the user simply just makes a call to myapi.com/auth/microsoft/token, where it has the secret key, and it refreshes.
推荐答案
通常,我建议始终从后端进行第3方通话.它使您可以更好地控制并避免任何跨源并发症.
Generally I would recommend always making the 3rd party calls from the back end. It gives you more control and avoids any cross origin complications.
您还想知道任何API密钥.大多数API都需要一个密钥才能访问,并且通常该密钥是私有的,您不想在前端共享.
You also want to be aware of any API keys. Most APIs require a key for access and often that key is private and you wouldn't want to share on the front end.
MS Azure API具有一个应用程序和秘密令牌.您不能将秘密令牌公开给客户端.要直接从客户端调用,您可以使用OAuth来获取JWT令牌,然后可以使用该令牌从SPA调用MS Web API.
MS Azure APIs have an application and secret token. You cannot expose the secret token to the client. To call directly from the client you would use OAuth to get a JWT token and then you can call from the SPA into the MS Web APIs with that token.
相比之下,还有其他第三方API,这些API被设计为只能从前端调用.例如,Stripe是一种支付处理API,其中UI可以直接调用Stripe,然后客户的支付信息实际上不会传递给主机应用程序,而只会传递给Stripe.这样可以提高安全性.
In contrast, there are other 3rd party APIs that are designed to be called only from the front-end. Stripe for example is a payment processing API where the UI can call directly into Stripe and then the client's payment information is never actually passed to the host application, only to Stripe. This improves security.
这篇关于我应该在后端还是前端进行第三方API调用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
