REST API授权和放大器;认证(网络+移动) [英] REST API Authorization & Authentication (web + mobile)
问题描述
我读过有关的OAuth,亚马逊REST API,HTTP基本/摘要等,但不能得到这一切为单件。这可能是最近的情况 - <一个href=\"http://stackoverflow.com/questions/3963877/creating-an-api-for-mobile-applications-authentication-and-authorization\">Creating对于移动应用的API - 身份验证和授权
I've read about oAuth, Amazon REST API, HTTP Basic/Digest and so on but can't get it all into "single piece". This is probably the closest situation - Creating an API for mobile applications - Authentication and Authorization
我想内置API为中心的网站 - 服务。因此(在开始的时候)我会在中心的API和网站(PHP + MySQL的)将通过卷曲 的Android 和<强连接> iPhone 通过他们的网络接口。所以3个主要客户 - 3 API密钥。和任何其他开发人员还可以通过API接口开发,他们会得到自己的API密钥。 API操作会被录用/基于用户级身份拒绝,如果我我可以删除任何东西等管理员,所有其他的可以操作的只有本地(账号)的数据。
I would like to built API-centric website - service. So (in the beginning) I would have an API in center and website (PHP + MySQL) would connect via cURL, Android and iPhone via their network interfaces. So 3 main clients - 3 API keys. And any other developer could also develop via API interface and they would get their own API key. API actions would be accepted/rejected based on userLevel status, if I'm an admin I can delete anything etc., all other can manipulate only their local (account) data.
首先,授权 - 我应该使用OAuth + XAUTH或我的一些实物 - 我 - 自己 - 实行(见<一href=\"http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/RESTAuthentication.html?r=9197\">http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/RESTAuthentication.html?r=9197)?据我了解,在亚马逊服务的用户是== API用户(拥有API密钥)。在我的服务,我需要单独的标准用户/帐户(谁的网站上注册的名称)和开发者帐户(谁应该有自己的API密钥)。
First, authorization - should I use oAuth + xAuth or my some-kind-of-my-own implemenation (see http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/RESTAuthentication.html?r=9197)? As I understand, on Amazon service user is == API user (have API key). On my service I need to separate standard users/account (the one who registered on the website) and Developer Accounts (who should have their API key).
所以,我首先需要的授权API密钥,然后验证用户本身。如果我使用亚马逊的计划,检查开发者的API密钥(授权他们的应用程序),我应该使用进行用户验证其sheme?
So I would firstly need to authorize the API key and then Authenticate the user itself. If I use Amazon's scheme to check developer's API keys (authorize their app), which sheme should I use for user authentication?
我读到后得到一个令牌通过 api.example.org/auth (通过 HTTPS ,HTTP基本)发布我的用户名和密码再往前它的后继请求。如果我在同时登录的 Android版和网站如何管理标记?什么人在这方面的中间人攻击,如果我使用只在第一次请求SSL(当用户名和密码被传输),只是HTTP上的所有其他?是不是在这个例子中的一个问题密码保护REST服务?
I read about getting a token via api.example.org/auth after (via HTTPS, HTTP Basic) posting my username and password and then forward it on every following request. How manage tokens if I'm logged in simultaneously on Android and a website? What about man-in-the-middle-attack if I'm using SSL only on first request (when username and password are transmitted) and just HTTP on every other? Isn't that a problem in this example Password protecting a REST service?
推荐答案
至于永诺,以保护关键的最好办法就是不要发送。
As allways, the best way to protect a key is not to transmit it.
这是说,我们通常使用的方案,其中每一个API密钥有两个部分:一个非秘密的ID(例如1234)和密钥(例如字节[64])。
That said, we typically use a scheme, where every "API key" has two parts: A non-secret ID (e.g. 1234) and a secret key (e.g. byte[64]).
- 如果你给了一个API密钥,它(咸鱼和散列)存储在你
服务的数据库中。 - 如果你给了用户帐号(密码保护),存储
密码在服务的数据库(咸鱼和散列)
现在,当消费者的第一访问你的API,连接,让他
Now when a consumer first accesses your API, to connect, have him
- 发送一个用户名参数(john.doe不是秘密的)
- 发送一个APIkeyID参数(1234,不是秘密的)
和给他回
- 从数据库中的盐的情况下(参数之一是错误的,
只是给一些回来重复盐 - 例如。
SHA1(用户名+notverysecret)。 - 服务器的时间戳
消费者应该存储盐会话持续时间让事情变得快速而顺畅的,他应该计算和保持时间客户端和服务器之间的偏移量。
The consumer should store the salt for session duration to keep things fast and smooth, and he should calculate and keep the time offset between client and server.
消费者现在应该计算API密钥和密码的哈希值腌制。这样一来,消费者对密码和API密钥完全相同的哈希值,因为什么存储在数据库中,但没有任何seceret曾经打算过线。
The consumer should now calculate the salted hashes of API key and password. This way the consumer has the exact same hashes for password and API key, as what is stored in your database, but without anything seceret ever going over the wire.
现在,当消费者的 subseqently 访问您的API,做实事,让他
Now when a consumer subseqently accesses your API, to do real work, have him
- 发送一个用户名参数(john.doe不是秘密的)
- 发送一个APIkeyID参数(1234,不是秘密的)
- 发送一个RequestSalt参数(字节[64],随机的,不是秘密的)
- 发送一个RequestTimestamp参数(从客户的时间计算和已知的偏移量)
- 发送一个RequestToken参数(哈希(passwordhash + request_salt + request_timestamp + apikeyhash))
服务器不应该接受时间戳超过例如2秒过去,使针对重放攻击这个安全的。
The server should not accept timestamps more than say 2 seconds in the past, to make this safe against a replay attack.
服务器现在可以计算出相同的散列(passwordhash + request_salt + request_timestamp + apikeyhash)作为客户端,可以肯定的,那
The server can now calculate the same hash(passwordhash+request_salt+request_timestamp+apikeyhash) as the client, and be sure, that
- 客户端知道API密钥,
- 客户端知道正确的密码
这篇关于REST API授权和放大器;认证(网络+移动)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
