我应该使用哪种认证策略,我的API? [英] Which authentication strategy should I use for my API?
问题描述
我有一个客户端角的js应用。我有一个服务器端API的NodeJS。客户端和服务器端应用程序位于不同的域。客户端使用API来获取或发布一些数据。另外,客户端需要从服务器侧获得的图像,并将其显示在浏览器中。
I have a client-side angular-js application. And I have a server-side nodejs API. The client-side and the server-side application are located on different domains. The client-side use API for getting or posting some data. Also the client-side needs to get images from the server-side and show them in a browser.
我用护照模块的NodeJS的认证。我不知道哪个身份验证策略是为我好。我认为有两种类型的验证策略:基于cookie的基于令牌的和。而且我觉得在我的情况下,这两种类型的无用的:
I use passport nodejs module for the authentication. I don't know which authentication strategy is better for me. I think that there are two types of authentication strategies: token-based and cookie-based. And I think that both types useless in my case:
-
如果我使用基于令牌的策略,那么,我应该送认证报头在每个请求API令牌。我可以在AJAX请求发送头,但是如果我想表明,位于服务器端的图像我有一个问题。由于浏览器将不会发送在
&LT头; IMG>标记。
如果我用饼干,那么我没有与图像的问题。但是,我有AJAX请求的问题。因为会话cookie存储在服务器端应用程序的域。如果我从客户端域发送AJAX请求,那么我应该每个请求发送cookie。我用XmlHtt prequest对AJAX和我应该使用<一个href=\"http://stackoverflow.com/questions/21850454/how-to-make-xmlhtt$p$pquest-cross-domain-withcredentials-http-authorization-cor\">withCredentials选项发送的cookie。但在跨域请求浏览器将发送的每个AJAX请求之前,preflight(OPTION)请求。和浏览器不会OPTION请求发送cookie。这是一个问题,对我来说,因为服务器端API无法就是否将未授权的请求OPTION正确的响应。
If I use cookies, then I don't have the problem with images. But I have problems with AJAX requests. Because the session cookie is stored on the server-side application's domain. And if I send AJAX requests from the client-side domain, then I should send cookies with each request. I use XmlHttpRequest for AJAX and I should use withCredentials option for sending cookies. But in crossdomain requests browsers will send a preflight (OPTION) request before each AJAX request. And browsers will not send cookies with OPTION request. This is a problem for me because the server-side API could not make a correct response on an OPTION request if it will be not authorized.
什么是采取的解决方案?
What is the adopted solution?
推荐答案
了解Web应用程序和Web服务之间的区别是很重要的。 Web应用程序服务标记,JavaScript,CSS和图像文件,而且通常使用基于Cookie的身份验证(但可以使用任何其他<一href=\"http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/\"相对=nofollow>隐认证机制)。浏览器发出的任何请求将被自动验证。
It is important to understand the difference between web applications and web services. A web application serves markup, JavaScript, CSS and image files and often uses cookie based authentication (but can use any other implicit authentication mechanism). Any request the browser makes is automatically authenticated.
另一方面Web服务经常使用承载令牌认证。当在浏览器,胖客户端或移动设备上的客户端与API进行通信,它沿令牌中的发送HTTP请求的授权头。头有明确附着在JavaScript或本地code执行HTTP请求的请求。
Web services on the other hand often use bearer token authentication. When a client in a browser, fat client or on a mobile device communicates with the API, it sends along a token in the Authorization header of the HTTP request. The header has to be explicitly attached to the request in the JavaScript or native code executing the HTTP request.
在单页应用(SPA),Web应用程序缺失和标记,JavaScript,CSS和图像从浏览器提供无需验证。只有到了Web服务请求进行身份验证,通常使用JWT令牌。
In Single Page Applications (SPA), the web application is missing and the markup, JavaScript, CSS and images are served from the browser without authentication. Only the requests to the web services are authenticated, typically using a JWT token.
在你的情况,如果你想只有授权的用户将能够下载图片和其他文件,你应该考虑建立一个Web应用程序。使用像或者 OpenID的连接您的用户进行身份验证的安全协议。选择一个支持OpenID的连接为Web应用程序和的OAuth2 为您的Web服务的授权服务器。
In your case, if you want only authorized users to be able to download images, and other files, you should consider building a web application. Use a security protocol like or OpenID Connect to authenticate your users. Choose an authorization server that supports both OpenID Connect for your web application and OAuth2 for your web service.
这篇关于我应该使用哪种认证策略,我的API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
