问题关于使用OAuth的消费自己的API [英] Questions About Consuming Your Own API with OAuth

问题描述

我要建一个项目一个RESTful API，我工作，我想使主应用程序消耗API，因为：

I'm building a RESTful API for a project I'm working on and I'd like to make the main application consume the API because:

1. 这将导致有一组code，以维持


2. 我们应该决定公开为第三方软件开发人员将已经完成的API


3. 它开辟了可能性，以消耗其移动应用


4. 我真的想学习如何做到这一点

该API将在一个子 https://api.example.com 和主要的Web应用程序被托管将在根域托管 https://example.com 。

The API will be hosted on a subdomain https://api.example.com and the main web application will be hosted at the root domain https://example.com.

从概念上讲我明白一切是如何工作的，但我的主要问题是认证流程将如何改变，如果在所有。通常情况下第三方应用程序将：

Conceptually I understand how everything works, but my main question is how the authentication flow will change if, at all. Ordinarily 3rd party apps would:

1. 获得 https://api.example.com/request_token 请求令牌


2. 将用户重定向到 https://api.authenticate.com/authorize 验证


3. 获取重定向到第三方应用程序


4. 获得 https://api.example.com/access_token 的访问令牌

1. Obtain a request token from https://api.example.com/request_token
2. Redirect the user to authenticate on https://api.authenticate.com/authorize
3. Get redirected back to the 3rd party application
4. Obtain an access token from https://api.example.com/access_token

因为我控制两个领域，我可以做类似的东西：

Since I control both domains, can I do something similar to:

1. 获取请求令牌当 https://www.example.com 在登录屏幕上用户登陆


2. 的用户进行身份验证使用形式 https://www.example.com 调用同一个code作为 HTTPS：/ /api.example.com/authorize


3. 如果凭证有效，请求令牌被交换为访问令牌


4. 访问令牌保存在会话和过期当用户注销像通常那样

1. Obtain a request token when the user lands on the login screen at https://www.example.com
2. The user authenticates using a form on https://www.example.com that calls the same code as https://api.example.com/authorize
3. If the credentials are valid, the request token is swapped for the access token
4. Access token is saved in the session and expires when the user logs out like it normally would

步骤3感觉它是错的，因为会有重复的code，但不会是我开到XSS攻击是 https://www.example.com登录表单将数据发送到 https://api.example.com ，因为它们的技术上的不同的域？

Step 3 feels like it's wrong since there will be duplicate code, but wouldn't it open me up to XSS attacks is the login form on https://www.example.com sent the data to https://api.example.com since they are technically different domains?

我是不是过于复杂吗？

推荐答案

我也碰到过同样的问题，并解决了这个样子。

I have come across the same issue and solved it like this.

1
对于第三方应用程序，使用我的API，他们必须通过OAuth对所有请求进行身份验证。

1 For third party apps, using my API, they have to authenticate via OAuth on all requests.

2
对于我自己的第三方客户端（移动，AIR等） - 他们使用OAuth，与我让这些直接在授权步骤发送用户名和密码的区别（这样我就可以让本机登录对话）。这是在假设您的API是通过SSL / HTTPS。

2 For my own third party clients, (mobile, AIR etc) - they use OAuth, with the difference that I allow these to send username and password directly in the authorization step (so I can make a native login dialogue). This is provided that your API is over SSL/HTTPS.

3
对于我的web应用程序中，我使用cookie的身份验证来访问的API。即已经登录后，用户可以简单地调用API：URL，并获得JSON / XML回来。尼斯快速探索API还（虽然像APIGee一个真正的API控制台做一个更好的工作有）。

3 For my web application, I use cookie authentication to access the APIs. I.e after having logged in, the user could simply call API:urls and get JSON/XML back. Nice for quick exploring the APIs also (although a real API Console like APIGee does a better job there).

这篇关于问题关于使用OAuth的消费自己的API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！