操作简单，安全的API认证系统 [英] Simple, secure API authentication system

问题描述

我有一个简单的REST API的JSON用于其他网站/应用程序来访问我的一些网站的数据库（通过PHP网关）。基本服务是这样的：打电话example.com/fruit/orange，服务器返回有关橙色JSON信息。这里的问题是：我只希望我的网站允许访问该服务。通过简单的API密钥系统，任何网站都可以迅速通过复制授权的网站的（潜在）客户端code键实现的关键。我看过的OAuth，但它似乎对我做的有点复杂。解决方案？

I have a simple REST JSON API for other websites/apps to access some of my website's database (through a PHP gateway). Basically the service works like this: call example.com/fruit/orange, server returns JSON information about the orange. Here is the problem: I only want websites I permit to access this service. With a simple API key system, any website could quickly attain a key by copying the key from an authorized website's (potentially) client side code. I have looked at OAuth, but it seems a little complicated for what I am doing. Solutions?

推荐答案

您应该使用OAuth。

You should use OAuth.

有实际上是两个OAuth的规格，3条腿版本和2条腿版本。三条腿的版本是一个得到大部分的注意力，而且它的不的要使用的一个。

There are actually two OAuth specifications, the 3-legged version and the 2-legged version. The 3-legged version is the one that gets most of the attention, and it's not the one you want to use.

好消息是，2条腿的版本不正是你想要的东西，它允许应用程序通过两种共享密钥（非常类似于Amazon的Web服务模型中，您将使用HMAC-SHA1授予访问另一个签名法）或经由公共/私人密钥系统（使用签名方法：RSA-SHA1）。坏消息是，它几乎没有很好的支持还为3条​​腿的版本还没有，所以你可能需要做更多的工作比你，否则可能有现在。

The good news is that the 2-legged version does exactly what you want, it allows an application to grant access to another via either a shared secret key (very similar to Amazon's Web Service model, you will use the HMAC-SHA1 signing method) or via a public/private key system (use signing method: RSA-SHA1). The bad news, is that it's not nearly as well supported yet as the 3-legged version yet, so you may have to do a bit more work than you otherwise might have to right now.

基本上，两方模式OAuth只是指定的方式来签到（在计算散列）多个领域，其中包括当前的日期，一个叫随机数随机数和你的请求的参数。这使得它的很辛苦的冒充请求您的Web服务。

Basically, 2-legged OAuth just specifies a way to "sign" (compute a hash over) several fields which include the current date, a random number called "nonce," and the parameters of your request. This makes it very hard to impersonate requests to your web service.

OAuth是缓慢而稳步地成为这种事情公认的标准 - 你最好是去从长远来看，如果你接受它，因为人们可以利用随后的各种库提供这样做

OAuth is slowly but surely becoming an accepted standard for this kind of thing -- you'll be best off in the long run if you embrace it because people can then leverage the various libraries available for doing that.

这是更复杂的比你最初想进入 - 但好消息是，有很多人已经花了很多时间在上面，所以你知道你没有忘记什么。一个很好的例子是，最近的Twitter发现其中社区目前正在关闭的OAuth安全的差距。如果你想创造自己的系统，你必须弄清楚所有这些东西你自己了。

It's more elaborate than you would initially want to get into - but the good news is that a lot of people have spent a lot of time on it so you know you haven't forgotten anything. A great example is that very recently Twitter found a gap in the OAuth security which the community is currently working on closing. If you'd invented your own system, you're having to figure out all this stuff on your own.

祝你好运！

克里斯

这篇关于操作简单，安全的API认证系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！