什么是OAuth的为确保REST API的好处？ [英] What's the benefit of OAuth for securing REST APIs?

问题描述

我想打一个Web应用程序，这是一个单页的客户端与服务器中的REST API交互。我需要相验证的第三方应用程式（后者是最臣民REST书目的焦点）来验证我的应用程序的用户。

I want to make a web application that's a Single-Page client that interacts with a REST API in the server. I need to authenticate users of my app as opposed to authenticate third party-apps (the latter being the focus of most tradional REST bibliography).

谷歌上搜索了很多后，我发现有很多选择（基本HTTP验证，HTTP摘要，OAuth的，等等），一个可能会被根据选择之一​​几个理想的特性。例如，基本认证是简单而朴素发送未加密的密码，除非你保证你的应用程序将TLS下运行这是不是一个好主意。摘要反之不发送每个请求的凭据，但prevents强密码加密，并容易受到中间人攻击的 [1] 。流星推出SRP避免了存储和发送密码的 [2] 。

After googling a lot, I found there are many options (Basic HTTP Auth, HTTP digest, OAuth, etc) and several desirable properties one might get depending on the one chosen. For example, Basic Auth is simple but sends plain passwords unencrypted, which is not a good idea unless you guarantee that your app will run under TLS. Digest on the contrary doesn't send the credentials on every request, but prevents strong password encryption and is vulnerable to man in the middle attacks[1]. Meteor introduced SRP which avoids storing and sending passwords[2].

在我看来，该共识是要使用OAuth，格​​外的凭据的OAuth2流，因为我想授权我自己的服务器的 [3] 的 [4] [5] 。我不明白的是什么这种特殊方法的好处。我得到使用OAuth的认证委托的形式，很像那些使用OpenID进行联合认证的好处：你不要在你的服务器处理身份验证数据在所有。但在情况下，你申请的凭证流进行授权（或您好！OAuth1为此事2条腿的流量），而不是引进第三方，它看起来像你还有一些其他的手段来处理身份验证，如HTTP基本或摘要。所以，如果你这样做，为什么不坚持，只有方法，并发送每个请求的凭据，而不是令牌？

It appears to me that the consensus is to use OAuth, particulary the OAuth2 credentials flow, since I want to authorize access to my resources on my own server[3][4][5]. What I don't get is what are the benefits of this particular approach. I do get the benefits of using OAuth as a form of delegate authentication, much like those of using OpenID for federated authentication: you don't handle authentication data at all in your server. But in the case you apply the credentials flow for authorization (or OAuth1 2-legged flow for that matter), not introducing a third party, it looks like you still have to handle authentication by some other means, like HTTP basic or digest. So if you're doing that why not stick to that only method, and send the credentials on every request, instead of the token?

这只是减少，你必须实际发送证书请求的金额是多少？这只是坚持到OAuth的约定？那些不听起来像在其他方法有力的论据。所以，我是我缺少一些其它方面还是我误解的东西吗？

It's just to reduce the amount of requests where you have to actually send the credentials? It's just to stick to the OAuth convention? Those don't sound like strong arguments over the other methods. So, I'm I missing some other aspects or did I misunderstood something?

推荐答案

如果你不建立联盟，没有真正的使用OAuth一个很好的例子。

If you are not federating, there is not really a good case for using OAuth.

如果你只想来验证自己的服务，基本或表单认证是要走的路。美中不足的，如你所指出的，是你必须使用HTTPS。然而，这适用于所有的认证方法。

If you just want to authenticate to your own service, basic or forms authentication is the way to go. The catch, as you've pointed out, is that you must use HTTPS. However, that applies to all authentication methods.

只要你使用HTTPS，您可以在过境传输级别安全性，同时保留凭据的保护。这就是它的存在并（在大多数情况下），这就是它擅长。如果你使用普通的HTTP（应用程序中的任何地方，不只是身份验证），你就大功告成了。也有很聪明的MITM攻击所有方式完全打破Anywhere使用HTTP的任何系统的安全性（莫邪Marlinspike介绍了在Black Hat早在2009年的主题一个有趣的presentation）。

As long as you're using HTTPS, you can leave protection of credentials while in transit to the transport level security. That's what it's there for and (for the most part) that's what it's good at. If you're using plain HTTP (anywhere in your application, not just for authentication), you're done. There are all manner of very clever MitM attacks that totally break the security of any system that employs HTTP anywhere (Moxie Marlinspike gave an interesting presentation on the subject at Black Hat back in 2009).

这篇关于什么是OAuth的为确保REST API的好处？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！