分发和使用Web应用程序的API密钥 [英] Distributing and using API-keys for web-applications
问题描述
我有一个Web应用程序,正在为其构建一个Drupal模块,该模块允许我的客户访问我的应用程序上的某些数据.
我打算将秘密的API密钥分发给需要在其Drupal模块副本中输入该值的客户.然后,这个Drupal模块与我的Web应用程序对话,但是我需要确保POST请求确实来自该来源.
如何使用此秘密密钥"传递一些信息,以便当我的应用程序收到它时,它知道:
(a)来自该客户端服务器的信息.(b)它没有被他人窃听/复制和使用吗? 我应该使用此API密钥作为密码来加密一些与其余POST请求匹配的数据吗?接收到它后,我会使用其API密钥的副本对其进行解密,如果它与其余数据匹配,我认为它已通过验证?
是否有适合我的框架?Zend内有东西吗?
使用HTTPS并仅在请求中发送API密钥.就这么简单.
如果您使用HTTP,那么您将重新发明轮子.
更新:
这里是阅读评论后的更新,因为在这个问题中您没有解释要向网站访问者提供API密钥(在这种情况下,无论您做什么都将被搞砸)./p>
juanpaco的评论解释了该怎么做(以及我原本认为您正在做的事情),但我将尝试更详细地解释它.
最重要的事情是,您没有在网络表单中使用API密钥.API密钥仅用于客户服务器和API服务器之间的通信.
这里是一个简化的解释:
- 您给客户一个密钥和一些要在其服务器上安装的软件/模块/库.
- 当访问者访问客户的网站时,他会看到由模块生成的HTML,其中不包含任何API密钥,并且只能与客户的服务器(如果存在任何敏感信息,则可以通过HTTPS与之通信).用户帐户).
- 您客户服务器上的模块从访问者那里获取请求.
- 您的模块使用API密钥(带有HTTPS)连接到您的服务器.
- 您的API服务器响应客户的服务器.
- 客户的服务器响应访问者.
您的API密钥绝不会以明文形式发送,并且绝不会提供给网站访问者.
这是使用API密钥的唯一合理方法,在我第一次阅读您的问题后,我认为您担心在服务器与客户服务器之间发送API密钥的安全性.
如果您的客户将其密钥提供给其网站的每个访问者,那么这些访问者将始终能够了解他们,无论您尝试如何努力.提供访问者API密钥并使其可以使用但无法读取将是不可能的.不难-不可能.无论使用哪种协议,加密或任何其他方式.
(感谢juanpaco将这个旧答案提请我注意.)
I have a web-application for which I'm building a Drupal module that allows my customers to access certain data on my application.
I intend to distribute secret API-keys to my customers who need to enter that value in their copy of the Drupal module. This Drupal module then talks to my web-application, but I need to make sure that the POST requests are indeed coming from that source.
How can this 'secret key' be used to pass some information that when my application receives it, it knows:
(a) its from that client's server.
(b) it hasnt been eavesdropped on / copied and used by someone else?
Should I be using this API-key as a password to encrypt some data that matches the rest of the POST request? When receiving it, I decrypt it using my copy of their API-key and it if matches the rest of the data, I consider it validated?
Is there a frame-work that does this for me? Something within Zend?
Use HTTPS and just send the API key in the request. It's that simple.
If you use HTTP then you are going to reinvent the wheel.
Update:
Here is an update after reading the comments, because in the question you didn't explain that you want to give the API keys to visitors of the website (in which case you would be screwed no matter what you do).
The comment by juanpaco explains what to do (and what I originally assumed that you're doing anyway) but I'll try to explained it in a little bit more detail.
The most important thing is that you don't use the API key in the web form. The API key is only used in the communication between your customers servers and your API server.
Here is a simplified explanation:
- You give your customer a key and some software/module/library to install on his server.
- When a visitor visits your customer's website he sees some HTML generated by your module that does not include any API key and can communicate only with your customer's server (with HTTPS if there is any sensitive information or user accounts involved at all).
- Your module on the customer's server gets the request from the visitor.
- Your module connects to your server using the API key (with HTTPS).
- Your API server responds to the customer's server.
- The customer's server responds to the visitor.
Your API key is never sent in the cleartext and never given to website visitor.
This is the only reasonable way to use API keys and after I first read your questions I assumed that you are concerned about the safety of sending your API keys between your servers and the servers of your customers.
If your customers were to give their keys to every visitor of their websites then those visitors would always be able to know them, no matter how hard you would try to make it. Giving visitors API keys and making them possible to use but impossible to read would be impossible. Not hard - impossible. No matter what protocols, encryption or anything you use.
(Thanks to juanpaco for bringing this old answer to my attention.)
这篇关于分发和使用Web应用程序的API密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
