两条腿的 OAuth 和 REST [英] 2-legged OAuth and REST

问题描述

我想在我公司的 Intranet 上放置一个 Web 服务，让合作伙伴能够访问该 Web 服务提供的信息.目前，Web 服务处于 SOA 中，我决定将所有内容都转移到 RESTful Web 服务，因此在面向 Web 的架构中.我正在考虑执行此操作时应考虑的一些安全方面.

I would like to put a web service, at the moment in a intranet of my company, on internet, to make partners able to access information provided by the web service. At the moment, web service is in a SOA, and I decided to move everything to RESTful web service, so in a web oriented architecture. I'm considering some security aspects I should take into account to do this operation.

我不知道哪种解决方案对我来说更有用.已经找了HMAC、OAuth的资料，想知道是否可以使用OAuth，不引入第三方.

I don't know which solution can be more useful in my case. I've already looked for HMAC, OAuth information, but I would like to know if is possibile to use OAuth, without introducing a third part.

比如，一个合作伙伴想登录网站，然后继续导航，2-legged OAuth对我的需求有用吗?是否有其他有用的安全解决方案来执行此操作?

For example, a partner want to sign in the web site, and then continue the navigation, is 2-legged OAuth useful for my needs? Are there other useful security solution to do this operation?

真的很感谢.

推荐答案

是的，OAuth 支持2-legged"案例；只需省略 oauth_token 参数，然后根据需要使用 HMAC-SHA1(共享密钥)或 RSA-SHA1(公钥).值得注意的是，签名并未涵盖 API 客户端可能发送的所有内容；它不包括 PUT 请求的正文或非表单提交的 POST 请求的正文.

Yes, OAuth supports a "2-legged" case; just omit the oauth_token parameter, and then use either HMAC-SHA1 (shared secret) or RSA-SHA1 (public key) as desired. It's worth noting that the signatures do not cover everything an API client might send; it doesn't cover the body of PUT requests or the body of POST requests that aren't form submissions.

您可能只想使用 HTTPS + 基本身份验证进行调查，因为这样您就可以利用大量现成的软件(Apache 或同等软件)，而无需在客户端和服务器中引入签名库.

You may want to investigate simply using HTTPS + Basic Auth, as this lets you leverage lots of off-the-shelf software (Apache or equivalent) without having to introduce signing libraries into your client and server.

这篇关于两条腿的 OAuth 和 REST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！