API 设计:HTTP 基本身份验证与 API 令牌 [英] API Design: HTTP Basic Authentication vs API Token
问题描述
我目前正在为 Web 应用程序在公共 Web API 前面创建身份验证系统.鉴于每个用户帐户都有一个 API 密钥并且每个请求都必须经过身份验证,我有两种选择:
I'm currently creating an authentication system on front of a public web API for a web application. Given that each user account has an API key and each request must be authenticated, I have two alternatives:
使用 HTTP 基本身份验证,就像 GitHub 一样.
请求必须发送到 URL
Requests must be sent to the URL
http://api.example.com/resource/id
with basic authentication
username: token
password: the api key
将 API 令牌作为查询字符串参数传递.
Passing the API Token as querystring parameter.
请求必须发送到 URL
Requests must be sent to the URL
http://api.example.com/resource/id?token=api_key
还有第三个选项是在 URI 中传递令牌,但老实说,我不喜欢这种解决方案.
There's also a third option which is passing the token within the URI, but I honestly don't like that solution.
您会采用哪种解决方案?为什么?
Which solution would you adopt and why?
推荐答案
我认为 HTTP Basic Auth 应该没问题,但只是为了满足非常简单的需求.
I think that HTTP Basic Auth should be OK but just for really simple needs.
恕我直言,完整(也是最终)的解决方案是实施 OAuth 提供程序.它并不复杂,它是一个简单的协议,并为您提供了很大的灵活性.此外,它似乎是当前的趋势,因为许多大公司都在实施它,并且它得到了许多图书馆的支持.
The complete (and final) solution IMHO is to implement an OAuth provider. It's not complex, it's a simple protocol and gives you lots of flexibility. In addition it seems to be the current trend as many big players implement it and it's supported from many many libraries.
这篇关于API 设计:HTTP 基本身份验证与 API 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!