在一个RESTful API,API密钥VS HTTP认证VS的OAuth [英] API Keys vs HTTP Authentication vs OAuth in a RESTful API
问题描述
我正在构建一个RESTful API为我维护的应用之一。目前,我们正在寻求建立各种东西放到它需要更多的控制访问和安全性。虽然研究如何去保护的API,我发现使用何种形式的一些不同的意见。我见过一些资源说HTTP的验证是要走的路,而其他preFER API密钥,甚至别人(包括我发现这里的SO问题)通过OAuth的发誓。
I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few different opinions on what form to use. I've seen some resources say HTTP-Auth is the way to go, while others prefer API keys, and even others (including the questions I found here on SO) swear by OAuth.
然后,当然,对那些preFER,比方说,API密钥,说OAuth是设计用于获得代表用户访问(按我的理解,如登录到非Facebook网站使用您的Facebook帐户),而不是用户在他们已经专门注册了一个网站直接访问资源(如官方Twitter客户端访问Twitter服务器)。然而,对于OAuth的建议似乎是即使是最基本的认证需求。
Then, of course, the ones that prefer, say, API keys, say that OAuth is designed for applications getting access on behalf of a user (as I understand it, such as signing into a non-Facebook site using your Facebook account), and not for a user directly accessing resources on a site they've specifically signed up for (such as the official Twitter client accessing the Twitter servers). However, the recommendations for OAuth seem to be even for the most basic of authentication needs.
我的问题的话,是 - 假设这一切都通过HTTPS完成的,是一些什么样的三者之间的实际差异?当应一个比别人考虑?
My question, then, is - assuming it's all done over HTTPS, what are some of the practical differences between the three? When should one be considered over the others?
推荐答案
这要看你的需求。你需要:
It depends on your needs. Do you need:
- 身份 - 谁声称自己作出API请求
- 验证 - 他们真的是他们说他们是谁 ?
- 授权 - 他们可以做什么,他们正在尝试做 ?
或全部三个?
如果你只需要识别来电者跟踪体积或API呼叫数量,使用一个简单的API密钥。请记住,如果用户已经发出了别人的API密钥股吧,他们将能够调用您的API以及
If you just need to identify the caller to keep track of volume or number of API Calls, use a simple API Key. Bear in mind that if the user you have issued the API key shares it with someone else, they will be able to call your API as well.
不过,如果你需要的授权,以及,那是你只需要提供给基于API的调用者的某些资源的访问,然后使用OAuth。
But, if you need Authorization as well, that is you need to provide access only to certain resources based on the caller of the API, then use oAuth.
下面是一个很好的说明:<一href=\"http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/\">http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/
Here's a good description: http://blog.apigee.com/detail/do_you_need_api_keys_api_identity_vs._authorization/
更新:有人指出,上面的链接不再起作用。这里有一篇文章在使用上面的链接作为参考<一个人写的href=\"http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/\">http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/
UPDATE: Someone pointed out that the above link no longer works. Here's an article somebody wrote while using the above link as a reference http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/
这篇关于在一个RESTful API,API密钥VS HTTP认证VS的OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
