我应该为我的 API 使用哪种身份验证策略? [英] Which authentication strategy should I use for my API?
问题描述
我有一个客户端 angular-js 应用程序.我有一个服务器端 nodejs API.客户端和服务器端应用程序位于不同的域中.客户端使用 API 来获取或发布一些数据.此外,客户端需要从服务器端获取图像并在浏览器中显示.
I have a client-side angular-js application. And I have a server-side nodejs API. The client-side and the server-side application are located on different domains. The client-side use API for getting or posting some data. Also the client-side needs to get images from the server-side and show them in a browser.
我使用passport nodejs 模块进行身份验证.我不知道哪种身份验证策略更适合我.我认为有两种类型的身份验证策略:基于令牌的和基于 cookie 的.而且我认为这两种类型对我来说都没用:
I use passport nodejs module for the authentication. I don't know which authentication strategy is better for me. I think that there are two types of authentication strategies: token-based and cookie-based. And I think that both types useless in my case:
如果我使用基于令牌的策略,那么我应该在每个请求中向 API 发送带有令牌的身份验证标头.我可以在 AJAX 请求中发送标头,但是如果我想显示位于服务器端的图像,我会遇到问题.因为浏览器不会在
标签中发送标头.
如果我使用 cookie,那么我就不会遇到图像问题.但是我对 AJAX 请求有问题.因为会话 cookie 存储在服务器端应用程序的域中.如果我从客户端域发送 AJAX 请求,那么我应该随每个请求发送 cookie.我将 XmlHttpRequest 用于 AJAX,我应该使用 withCredentials 发送 cookie 的选项.但是在跨域请求中,浏览器会在每个 AJAX 请求之前发送一个预检(OPTION)请求.浏览器不会发送带有 OPTION 请求的 cookie.这对我来说是个问题,因为如果未授权,服务器端 API 无法对 OPTION 请求做出正确响应.
If I use cookies, then I don't have the problem with images. But I have problems with AJAX requests. Because the session cookie is stored on the server-side application's domain. And if I send AJAX requests from the client-side domain, then I should send cookies with each request. I use XmlHttpRequest for AJAX and I should use withCredentials option for sending cookies. But in crossdomain requests browsers will send a preflight (OPTION) request before each AJAX request. And browsers will not send cookies with OPTION request. This is a problem for me because the server-side API could not make a correct response on an OPTION request if it will be not authorized.
采用的解决方案是什么?
What is the adopted solution?
推荐答案
了解 Web 应用程序和 Web 服务之间的区别很重要.Web 应用程序提供标记、JavaScript、CSS 和图像文件,并且通常使用基于 cookie 的身份验证(但可以使用任何其他 隐式身份验证 机制).浏览器发出的任何请求都会自动通过身份验证.
It is important to understand the difference between web applications and web services. A web application serves markup, JavaScript, CSS and image files and often uses cookie based authentication (but can use any other implicit authentication mechanism). Any request the browser makes is automatically authenticated.
另一方面,Web 服务通常使用不记名令牌身份验证.当浏览器、胖客户端或移动设备中的客户端与 API 通信时,它会在 HTTP 请求的 Authorization 标头中发送一个令牌.标头必须明确附加到执行 HTTP 请求的 JavaScript 或本机代码中的请求.
Web services on the other hand often use bearer token authentication. When a client in a browser, fat client or on a mobile device communicates with the API, it sends along a token in the Authorization header of the HTTP request. The header has to be explicitly attached to the request in the JavaScript or native code executing the HTTP request.
在单页应用程序 (SPA) 中,网络应用程序缺失,标记、JavaScript、CSS 和图像从浏览器提供,无需身份验证.仅对 Web 服务的请求进行身份验证,通常使用 JWT 令牌.
In Single Page Applications (SPA), the web application is missing and the markup, JavaScript, CSS and images are served from the browser without authentication. Only the requests to the web services are authenticated, typically using a JWT token.
在您的情况下,如果您只希望授权用户能够下载图像和其他文件,您应该考虑构建一个 Web 应用程序.使用诸如 或 OpenID Connect 之类的安全协议来验证您的用户.为您的 Web 应用程序选择一个支持 OpenID Connect 和为您的 Web 服务支持 OAuth2 的授权服务器.
In your case, if you want only authorized users to be able to download images, and other files, you should consider building a web application. Use a security protocol like or OpenID Connect to authenticate your users. Choose an authorization server that supports both OpenID Connect for your web application and OAuth2 for your web service.
这篇关于我应该为我的 API 使用哪种身份验证策略?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
