RESTful API 中的 API 密钥与 HTTP 身份验证与 OAuth [英] API Keys vs HTTP Authentication vs OAuth in a RESTful API

问题描述

我正在为我维护的应用程序之一构建 RESTful API.我们目前正在寻求在其中构建各种需要更多受控访问和安全性的东西.在研究如何保护 API 的过程中，我发现了一些关于使用何种形式的不同意见.我已经看到一些资源说 HTTP-Auth 是要走的路，而其他人更喜欢 API 密钥，甚至其他人(包括我在 SO 上找到的问题)都对 OAuth 发誓.

I'm working on building a RESTful API for one of the applications I maintain. We're currently looking to build various things into it that require more controlled access and security. While researching how to go about securing the API, I found a few different opinions on what form to use. I've seen some resources say HTTP-Auth is the way to go, while others prefer API keys, and even others (including the questions I found here on SO) swear by OAuth.

当然，那些更喜欢 API 密钥的人会说 OAuth 是为代表用户获取访问权限的应用程序设计的(据我所知，例如使用您的 Facebook 登录非 Facebook 网站帐户)，而不是直接访问他们专门注册的站点上的资源的用户(例如访问 Twitter 服务器的官方 Twitter 客户端).但是，对于 OAuth 的建议似乎甚至可以满足最基本的身份验证需求.

Then, of course, the ones that prefer, say, API keys, say that OAuth is designed for applications getting access on behalf of a user (as I understand it, such as signing into a non-Facebook site using your Facebook account), and not for a user directly accessing resources on a site they've specifically signed up for (such as the official Twitter client accessing the Twitter servers). However, the recommendations for OAuth seem to be even for the most basic of authentication needs.

那么，我的问题是 - 假设这一切都是通过 HTTPS 完成的，那么三者之间有哪些实际区别?什么时候应该优先考虑一个?

My question, then, is - assuming it's all done over HTTPS, what are some of the practical differences between the three? When should one be considered over the others?

推荐答案

这取决于您的需求.您是否需要:

It depends on your needs. Do you need:

• 身份——谁声称正在发出 API 请求?
• 身份验证 - 他们真的是他们所说的人吗?
• 授权——他们是否可以做他们想做的事?

还是全部三个?

如果您只需要识别调用者以跟踪 API 调用的数量或数量，请使用简单的 API 密钥.请记住，如果您发布 API 密钥的用户与其他人共享，他们也可以调用您的 API.

If you just need to identify the caller to keep track of volume or number of API Calls, use a simple API Key. Bear in mind that if the user you have issued the API key shares it with someone else, they will be able to call your API as well.

但是，如果您还需要授权，那就是您只需要根据 API 的调用者提供对某些资源的访问权限，然后使用 oAuth.

But, if you need Authorization as well, that is you need to provide access only to certain resources based on the caller of the API, then use oAuth.

这里有一个很好的描述:http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/

Here's a good description: http://www.srimax.com/index.php/do-you-need-api-keys-api-identity-vs-authorization/

这篇关于RESTful API 中的 API 密钥与 HTTP 身份验证与 OAuth的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！