REST 中的 OAuth 令牌和会话 [英] OAuth's tokens and sessions in REST
问题描述
另一分钟,我读了一篇关于 OAuth 的文章.它特别描述了在一系列请求期间客户端和服务提供者之间交换的令牌.
The other minute I read an article on OAuth. It described especially the tokens being exchanged between client and service provider during a series of requests.
文章还提到 OAuth 在作为授权层的 RESTful API 中获得了极大的欢迎.据我了解,REST 应该保持完全无状态.
The article also mentioned that OAuth gains significant popularity in RESTful APIs as authorization layer. As I understood, REST should be kept completely stateless.
问题:这种重复的代币交换不会破坏 REST 的无状态"原则吗?恕我直言,令牌可以被视为一种会话 ID,不是吗?
The question: Doesn't this repeated token exchange torpedo REST's "being stateless" principle? IMHO the tokens can be seen as a kind of session ID, can't they?
推荐答案
OAuth 令牌是明确的会话标识符,OAuth 令牌协商协议中的请求之间的交互不是无状态的,因为请求必须按特定顺序执行,并且它们确实需要服务器上的每个客户端存储,因为您需要跟踪诸如发布时间之类的事情.所以是的,OAuth 确实违反了 RESTful 架构的严格原则.
OAuth tokens are explicitly a session identifier, interaction is not stateless between requests in the OAuth token negotiation protocol as the requests must be performed in a specific sequence, and they do require per-client storage on the server as you need to track things like when they were issued. So yes, OAuth does violate the strict principles of a RESTful architecture.
不幸的是,有 Real WorldTM 来应对我们需要做的事情,例如允许应用程序代表个人进行身份验证而无需请求他们的密码,OAuth 在这方面做得相当好.如果没有这种状态,就不可能实现类似的安全认证方案.实际上,OAuth (1.0a) 要求的更改之一是在令牌协商协议中添加更多状态以降低安全风险.
Unfortunately there's the Real WorldTM to contend with where we need to do things like allow applications to authenticate on the behalf of individuals without requesting their password, which OAuth does fairly well. It would be impossible to implement a similarly secure authentication scheme without this kind of state. Indeed, one of the changes required by OAuth (1.0a) was to add more state to the token negotiation protocol to mitigate a security risk.
那么,它是否破坏了 REST 的无状态原则?是的.那有关系吗?除非你住在象牙塔里:-)
So, does it torpedo REST's stateless principle? Yes. Does that matter? Not unless you live in an ivory tower :-)
这篇关于REST 中的 OAuth 令牌和会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
