问题关于使用OAuth的消费自己的API [英] Questions About Consuming Your Own API with OAuth
问题描述
我要建一个项目一个RESTful API,我工作,我想使主应用程序消耗API,因为:
I'm building a RESTful API for a project I'm working on and I'd like to make the main application consume the API because:
- 这将导致有一组code,以维持
- 我们应该决定公开为第三方软件开发人员将已经完成的API
- 它开辟了可能性,以消耗其移动应用
- 我真的想学习如何做到这一点
该API将在一个子 https://api.example.com
和主要的Web应用程序被托管将在根域托管 https://example.com
。
The API will be hosted on a subdomain https://api.example.com
and the main web application will be hosted at the root domain https://example.com
.
从概念上讲我明白一切是如何工作的,但我的主要问题是认证流程将如何改变,如果在所有。通常情况下第三方应用程序将:
Conceptually I understand how everything works, but my main question is how the authentication flow will change if, at all. Ordinarily 3rd party apps would:
- 获得
https://api.example.com/request_token
请求令牌 - 将用户重定向到
https://api.authenticate.com/authorize
验证 - 获取重定向到第三方应用程序
- 获得
https://api.example.com/access_token
的访问令牌
- Obtain a request token from
https://api.example.com/request_token
- Redirect the user to authenticate on
https://api.authenticate.com/authorize
- Get redirected back to the 3rd party application
- Obtain an access token from
https://api.example.com/access_token
因为我控制两个领域,我可以做类似的东西:
Since I control both domains, can I do something similar to:
- 获取请求令牌当
https://www.example.com
在登录屏幕上用户登陆 - 的用户进行身份验证使用形式
https://www.example.com
调用同一个code作为HTTPS:/ /api.example.com/authorize
- 如果凭证有效,请求令牌被交换为访问令牌
- 访问令牌保存在会话和过期当用户注销像通常那样
- Obtain a request token when the user lands on the login screen at
https://www.example.com
- The user authenticates using a form on
https://www.example.com
that calls the same code ashttps://api.example.com/authorize
- If the credentials are valid, the request token is swapped for the access token
- Access token is saved in the session and expires when the user logs out like it normally would
步骤3感觉它是错的,因为会有重复的code,但不会是我开到XSS攻击是 https://www.example.com登录表单
将数据发送到 https://api.example.com
,因为它们的技术上的不同的域?
Step 3 feels like it's wrong since there will be duplicate code, but wouldn't it open me up to XSS attacks is the login form on https://www.example.com
sent the data to https://api.example.com
since they are technically different domains?
我是不是过于复杂吗?
推荐答案
我也碰到过同样的问题,并解决了这个样子。
I have come across the same issue and solved it like this.
1
对于第三方应用程序,使用我的API,他们必须通过OAuth对所有请求进行身份验证。
1 For third party apps, using my API, they have to authenticate via OAuth on all requests.
2
对于我自己的第三方客户端(移动,AIR等) - 他们使用OAuth,与我让这些直接在授权步骤发送用户名和密码的区别(这样我就可以让本机登录对话)。这是在假设您的API是通过SSL / HTTPS。
2 For my own third party clients, (mobile, AIR etc) - they use OAuth, with the difference that I allow these to send username and password directly in the authorization step (so I can make a native login dialogue). This is provided that your API is over SSL/HTTPS.
3
对于我的web应用程序中,我使用cookie的身份验证来访问的API。即已经登录后,用户可以简单地调用API:URL,并获得JSON / XML回来。尼斯快速探索API还(虽然像APIGee一个真正的API控制台做一个更好的工作有)。
3 For my web application, I use cookie authentication to access the APIs. I.e after having logged in, the user could simply call API:urls and get JSON/XML back. Nice for quick exploring the APIs also (although a real API Console like APIGee does a better job there).
这篇关于问题关于使用OAuth的消费自己的API的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!