简单、安全的 API 认证系统 [英] Simple, secure API authentication system

问题描述

我有一个简单的 REST JSON API，供其他网站/应用程序访问我网站的一些数据库(通过 PHP 网关).基本上服务是这样工作的:调用example.com/fruit/orange，服务器返回关于橙子的JSON信息.问题是:我只想要我允许访问此服务的网站.使用简单的 API 密钥系统，任何网站都可以通过从授权网站的(潜在)客户端代码复制密钥来快速获取密钥.我看过 OAuth，但对于我正在做的事情来说似乎有点复杂.解决方案?

I have a simple REST JSON API for other websites/apps to access some of my website's database (through a PHP gateway). Basically the service works like this: call example.com/fruit/orange, server returns JSON information about the orange. Here is the problem: I only want websites I permit to access this service. With a simple API key system, any website could quickly attain a key by copying the key from an authorized website's (potentially) client side code. I have looked at OAuth, but it seems a little complicated for what I am doing. Solutions?

推荐答案

您应该使用 OAuth.

You should use OAuth.

实际上有两个 OAuth 规范，3-legged 版本和 2-legged 版本.三足版本是最受关注的版本，它不是您想使用的版本.

There are actually two OAuth specifications, the 3-legged version and the 2-legged version. The 3-legged version is the one that gets most of the attention, and it's not the one you want to use.

好消息是 2-legged 版本完全符合您的要求，它允许应用程序通过共享密钥授予另一个应用程序的访问权限(与亚马逊的网络服务模型非常相似，您将使用 HMAC-SHA1签名方法)或通过公钥/私钥系统(使用签名方法:RSA-SHA1).坏消息是，它的支持还没有 3 足版本那么好，因此您可能需要做比现在更多的工作.

The good news is that the 2-legged version does exactly what you want, it allows an application to grant access to another via either a shared secret key (very similar to Amazon's Web Service model, you will use the HMAC-SHA1 signing method) or via a public/private key system (use signing method: RSA-SHA1). The bad news, is that it's not nearly as well supported yet as the 3-legged version yet, so you may have to do a bit more work than you otherwise might have to right now.

基本上，2-legged OAuth 只是指定了一种签名"(计算散列)几个字段的方法，这些字段包括当前日期、称为nonce"的随机数和您的请求参数.这使得很难模拟对您的网络服务的请求.

Basically, 2-legged OAuth just specifies a way to "sign" (compute a hash over) several fields which include the current date, a random number called "nonce," and the parameters of your request. This makes it very hard to impersonate requests to your web service.

OAuth 正在缓慢但肯定地成为此类事情的公认标准——从长远来看，如果您接受它，您将受益匪浅，因为人们可以利用各种可用的库来实现这一点.

OAuth is slowly but surely becoming an accepted standard for this kind of thing -- you'll be best off in the long run if you embrace it because people can then leverage the various libraries available for doing that.

它比您最初想要了解的要复杂得多 - 但好消息是很多人在它上面花了很多时间，所以您知道自己没有忘记任何事情.一个很好的例子是，最近 Twitter 发现 OAuth 安全性中的一个漏洞，社区目前正在努力解决这个漏洞.如果您发明了自己的系统，则必须自己解决所有这些问题.

It's more elaborate than you would initially want to get into - but the good news is that a lot of people have spent a lot of time on it so you know you haven't forgotten anything. A great example is that very recently Twitter found a gap in the OAuth security which the community is currently working on closing. If you'd invented your own system, you're having to figure out all this stuff on your own.

祝你好运！

克里斯

这篇关于简单、安全的 API 认证系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！