OAuth(访问令牌)与 API 密钥 [英] OAuth (Access Token) Vs API Key
问题描述
我遇到了很多文章,很多文章都建议通过 API 密钥使用 OAuth.据我了解,在 OAuth 中,我们终于获得了访问令牌,它的有效期为很多天.例如,QuickBooks 在线 OAuth 令牌的有效期为 6 个月.
I have came across lots of articles and many suggesting to use OAuth over API Key. From my understanding, in OAuth, we are finally getting access token and it is valid for many days. One example is, QuickBooks online OAuth token is valid for 6 months.
因此,访问令牌相当于 API 密钥.无论谁得到它,它都应该像 API 密钥一样安全.并且 OAuth 调用应通过 HTTPS 进行,类似于基于 API 密钥的调用.
So, access token is equivalent to API Key. Whoever gets it, should have it secure similar like API Keys. And OAuth calls should be made via HTTPS similar to API Key based calls.
与 OAuth 相比的另一个优势是授权.但是我们可以对 API Key 模型做同样的事情.例如,我们可以在我们的数据库中定义规则,例如这些API 密钥可以访问这些API.
Another advantage over OAuth is Authorization. But we can do the same with API Key model. For example, we can define rules in our database like these API keys can access these APIs.
现在,OAuth 的真正优势是什么?如果我们实施 OAuth,我们必须要求我们所有的客户在他们的服务器中安装 OAuth 支持库.这对他们和我们来说都是一项复杂的任务.而在 API Key 模型中,它是一个简单的网络调用,没有其他额外的库和复杂性.
Now, What is the real advantage of OAuth? If we implement OAuth, we have to ask all our clients to install OAuth supporting libraries in their server. And it is a complex task for them and also for us. Whereas in API Key model it is a simple web call with no other additional libraries and complexities.
我的目的只是为了更好地理解 OAuth 而不是比较 &与 API Key 模型争论.
My intention is just to understand OAuth better and not compare & argue with API Key model.
注意:
我不是在谈论 Google &LinkedIn 类型的模型,用户必须查看并授予权限.我只是在谈论我们提供给我们自己的客户的 API.
Note:
I'm not talking about Google & LinkedIn kind of model where users have to see and give permissions. I'm just talking about APIs that we provide to our own customers.
提前感谢您的帮助.
推荐答案
仅当您希望服务的用户允许第三方客户端应用程序访问他/她托管在您的服务中的数据时,您才需要 OAuth向应用程序透露他/她的凭据(ID 和密码).
You need OAuth only when you want to enable a user of your service to allow a third-party client application to access his/her data hosted in your service without revealing his/her credentials (ID & password) to the application.
什么是一对 API key &API 机密可以做的只是对客户端应用程序进行身份验证.如果您可以允许经过身份验证的客户端应用程序在未经用户明确同意的情况下访问用户的数据,那么您就不必使用 OAuth.
What a pair of API key & API secret can do is just authentication of a client application. If it is okay for you to allow an authenticated client application to access a user's data without explicit consent by the user, you don't have to use OAuth.
这篇关于OAuth(访问令牌)与 API 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
