REST API认证机制,做什么 [英] Rest API authentication mechanism, what to do
问题描述
我最近一直读了很多关于Web API认证机制和我是一个有点困惑就如何实现我的Web API认证机制,我想使用基于令牌身份验证,但我不知道,如果这是正确的选择。
I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice.
基本上我的Web API将管理所需的所有操作,它会保存我的网站的(他们有分开的情况下),用户以及API的用户。
Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated).
我要支持以下
用户可以在我的网站,使用他们的G +或Facebook帐户或我的服务已创建的用户名注册的应用程序,以及他们将使用他们的社交帐户登录。
如果用户没有登录,他们将无法发布项目,但他们将能够看到的项目,认为像Craiglist上。
比方说,用户是开发者,他们希望通过发布他们创造的,而不是通过网站去,并在同一时间发布一个项目的一些软件项目,我怎么允许这样做?
现在,我的问题是:1)在我的网站用户注册,我必须创建一个(公钥/私钥),为它以后的访问令牌,从而为用户如果检查我可以用我的API从网站上他们有机会获得一定的终点?
User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account. If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist. Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this? Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints?
2)我必须分配给我的网站(公钥/私钥),所以我可以使用的API时,在不登录的用户?
2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in?
3)同上移动应用
4)如何让用户(使用G +或Facebook注册/登录)?如果他们登录使用任何社交网络我要去如何保护我的API?
4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api?
请,任何回答将是非常美联社preciated。
Please, any answer will be really appreciated.
感谢
推荐答案
有关的ASP.NET Web API 2,我会建议你使用默认的Owin的OAuth2验证。这是认证的标准形式有据可查不够。如果你没有关于OAuth2用户足够的知识,阅读 RFC 。
For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. It's a standard form of authentication well documented enough. If you do not have enough knowledge about OAuth2, read the RFC.
随着Web API 2,ASP.NET移动到一个新的安全模型,称为 ASP.NET身份 。有这样真的很好<一个href=\"http://app.pluralsight.com/training/player?author=dominick-baier&name=webapi-v2-security-m3-architecture&mode=live&clip=0&course=webapi-v2-security\"相对=nofollow>视频,解释的基础知识。问题的关键是,从零开始,忽视传统的基本,表单或Windows身份验证。
With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity. There is this really good video that explains the basics. The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication.
很多的学习材料是关于ASP.NET 网站。
对于本地,个人账户(问题#1,#2,#3),透过这块的教程 - 在这里基本上是你自己的服务器将作为一个OAuth授权服务器,Owin的OAuth2实施会照顾生成访问令牌和验证他们。既然你将使用OAuth的2个标准,这将是基本的移动一样好。
A lot of learning material is on the ASP.NET website. For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well.
有关外部账户(问题#4),通过这个阅读教程。有第三方认证官库的主要供应商:
For external accounts (question #4), read through this tutorial. There are official libraries for third-party authentication for the major providers:
- Microsoft.Owin.Security.Facebook
- Microsoft.Owin.Security.Google
- Microsoft.Owin.Security.Twitter
- Microsoft.Owin.Security.MicrosoftAccount
这将有助于还进一步了解和理解新的 OWIN 规范,描述Web应用程序需要如何为.NET Framework创建的,武士刀项目(微软的OWIN实现)。
It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation).
这篇关于REST API认证机制,做什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
