API 设计:HTTP 基本身份验证与 API 令牌 [英] API Design: HTTP Basic Authentication vs API Token

查看:29
本文介绍了API 设计:HTTP 基本身份验证与 API 令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我目前正在为 Web 应用程序在公共 Web API 前面创建身份验证系统.鉴于每个用户帐户都有一个 API 密钥并且每个请求都必须经过身份验证,我有两种选择:

I'm currently creating an authentication system on front of a public web API for a web application. Given that each user account has an API key and each request must be authenticated, I have two alternatives:

  1. 使用 HTTP 基本身份验证,就像 GitHub 一样.

请求必须发送到 URL

Requests must be sent to the URL

http://api.example.com/resource/id
with basic authentication
username: token
password: the api key

  • 将 API 令牌作为查询字符串参数传递.

  • Passing the API Token as querystring parameter.

    请求必须发送到 URL

    Requests must be sent to the URL

    http://api.example.com/resource/id?token=api_key
    

  • 还有第三个选项是在 URI 中传递令牌,但老实说,我不喜欢这种解决方案.

    There's also a third option which is passing the token within the URI, but I honestly don't like that solution.

    您会采用哪种解决方案?为什么?

    Which solution would you adopt and why?

    推荐答案

    我认为 HTTP Basic Auth 应该没问题,但只是为了满足非常简单的需求.

    I think that HTTP Basic Auth should be OK but just for really simple needs.

    恕我直言,完整(也是最终)的解决方案是实施 OAuth 提供程序.它并不复杂,它是一个简单的协议,并为您提供了很大的灵活性.此外,它似乎是当前的趋势,因为许多大公司都在实施它,并且它得到了许多图书馆的支持.

    The complete (and final) solution IMHO is to implement an OAuth provider. It's not complex, it's a simple protocol and gives you lots of flexibility. In addition it seems to be the current trend as many big players implement it and it's supported from many many libraries.

    这篇关于API 设计:HTTP 基本身份验证与 API 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

    查看全文
    登录 关闭
    扫码关注1秒登录
    发送“验证码”获取 | 15天全站免登陆