REST API认证令牌 [英] REST API authentication tokens

问题描述

我从头开始构建我的第一个REST API，我试图了解处理API令牌的最佳方式。我不是在谈论用户验证（我将使用OAuth为）。我说的是，一个应用程序使用，以确定自己让自己的API可以决定应用程序是否被允许使用的API在首位公开/私有标记。

I'm building my first REST API from scratch and am trying to understand the best way to handle API tokens. I'm not talking about "user authentication" (I would be using OAuth for that). I'm talking about public/private tokens that an application uses to identify itself so that my API can decide whether or not the application is allowed to use the API in the first place.

一些API资源可与有效令牌（S）的人，以及一些需要OAuth认证。我将通过HTTPS的API进行通信，但我还是想确保我下面某种标准的令牌传递来回。

Some API resources will be available to anyone with valid token(s), and some will require OAuth authentication. I will be communicating with the API over HTTPS, but I still want to make sure I am following some sort of standard for passing tokens back and forth.

推荐答案

您实际上是在谈论用户认证，信不信由你。

You actually are talking about user authentication, believe it or not.

我在谈论的是一个应用程序使用的公共/私有标记
  找出自己让自己的API可以决定是否将
  允许应用程序使用API​​摆在首位。

I'm talking about public/private tokens that an application uses to identify itself so that my API can decide whether or not the application is allowed to use the API in the first place.

这是用户身份验证 - 它只是用户是应用程序调用的API的

That's user authentication - it's just that the "user" is the application calling your APIs.

如果OAuth是不够的，你需要的一切（它可能，你应该检查！），你不应该开始添加另一种自定义的验证方法为HTTPS。相反，站在巨人的肩膀上，并使用基本身份验证，因为的这就是它是的。你的工具，系统管理员和API的客户会感谢你的。

If OAuth isn't enough to do everything you need (and it might, you should check!), you shouldn't start adding yet another custom authentication method to HTTPS. Instead, stand on the shoulders of giants and use Basic Authentication, because that's what it's for. Your tools, sysadmins and API clients will thank you for it.

这篇关于REST API认证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！