人们如何处理 RESTful api 的身份验证(技术不可知) [英] How do people handle authentication for RESTful api's (technology agnostic)

问题描述

我正在考虑构建一些移动应用程序.因此，这些应用程序将通过 JSON 和 REST(例如放置、发布等)与我的服务器对话".

i'm looking at building some mobile applications. Therefore, these apps will 'talk' to my server via JSON and via REST (eg. put, post, etc).

如果我想确保客户端手机应用程序正在尝试执行需要某些许可"的操作，人们该如何处理?

If I want to make sure a client phone app is trying to do something that requires some 'permission', how to people handle this?

例如:

我们的网站卖东西 -> 电视、汽车、连衣裙等.api 将允许人们浏览商店和购买商品.要购买，您需要要登录".我需要确保正在使用的人他们的手机，真的是他们.

Our website sells things -> tv's, car's, dresses, etc. The api will allow people to browse the shop and purchase items. To buy, you need to be 'logged in'. I need to make sure that the person who is using their mobile phone, is really them.

如何做到这一点?

我已经查看了 twitter 如何使用他们的 OAuth .. 看起来他们在请求头中有许多值?如果是这样(而且我有点喜欢这种方法)，我是否可以使用另一个 3rd 方作为网站来存储用户名/密码(例如 twitter 或 Facebook 是 OAuth 提供者)..我所做的只是以某种方式检索自定义标头数据 .. 并确保它存在于我的数据库中 .. 否则 .. 让他们向他们的 OAuth 提供者进行身份验证?

I've had a look at how twitter does it with their OAuth .. and it looks like they have a number of values in a REQUEST HEADER? If so (and I sorta like this approach), is it possible that I can use another 3rd party as the website to store the username / password (eg. twitter or Facebook are the OAuth providers) .. and all I do is somehow retrieve the custom header data .. and make sure it exists in my db .. else .. get them to authenticate with their OAuth provider?

或者有其他方法吗?

附注.我真的不喜欢拥有 API 密钥的想法 - 我觉得它很容易交给另一个人使用(我们不能冒这个险).

PS. I really don't like the idea of having an API key - I feel that it can be too easily handed to another person, to use (which we can't take the risk).

推荐答案

我们的网站卖东西 -> 电视、汽车、衣服等.api 将允许人们浏览商店和购买商品.要购买，您需要要登录".我需要确保正在使用的人他们的手机，真的是他们.

Our website sells things -> tv's, car's, dresses, etc. The api will allow people to browse the shop and purchase items. To buy, you need to be 'logged in'. I need to make sure that the person who is using their mobile phone, is really them.

如果这确实是一个要求，那么您需要在系统中存储用户身份.最流行的身份跟踪形式是通过用户名和密码.

If this really is a requirement then you need to store user identities in your system. The most popular form of identity tracking is via username and password.

我看过 twitter 如何使用他们的 OAuth .. 和它看起来他们在请求头中有许多值?如果是这样的话(我有点喜欢这种方法)，我可以使用另一个第三方作为网站来存储用户名/密码(例如.twitter 或 Facebook 是 OAuth 提供者).. 而我所做的就是以某种方式检索自定义标头数据 .. 并确保它存在于我的数据库 .. 否则 .. 让他们向他们的 OAuth 提供商进行身份验证?

I've had a look at how twitter does it with their OAuth .. and it looks like they have a number of values in a REQUEST HEADER? If so (and I sorta like this approach), is it possible that I can use another 3rd party as the website to store the username / password (eg. twitter or Facebook are the OAuth providers) .. and all I do is somehow retrieve the custom header data .. and make sure it exists in my db .. else .. get them to authenticate with their OAuth provider?

您在这里混淆了两种不同的技术，OpenID 和 OAuth(不要难过，很多人都被这个绊倒了).OpenID 允许您将身份跟踪和身份验证推迟到提供者，然后在您的应用程序中接受这些身份，作为接受者或依赖方.另一方面，OAuth 允许应用程序(消费者)访问属于另一个应用程序或系统的用户数据，而不会损害其他应用程序的核心安全性.如果您希望第三方开发人员代表您的用户访问您的 API(这不是您已声明要执行的操作)，您会支持 OAuth.

You are confusing two differing technologies here, OpenID and OAuth (don't feel bad, many people get tripped up on this). OpenID allows you to defer identify tracking and authentication to a provider, and then accept these identities in your application, as the acceptor or relying party. OAuth on the other hand allows an application (consumer) to access user data that belongs to another application or system, without compromising that other applications core security. You would stand up OAuth if you wanted third party developers to access your API on behalf of your users (which is not something you have stated you want to do).

对于您陈述的要求，您绝对可以考虑将 Open ID 集成到您的应用程序中.有许多库可用于集成，但由于您要求的是不可知的答案，因此我不会列出其中任何一个.

For your stated requirements you can definitely take a look at integrating Open ID into your application. There are many libraries available for integration, but since you asked for an agnostic answer I will not list any of them.

或者有其他方法吗?

当然.您可以将用户 ID 存储在您的系统中并使用 basic 或 digest 身份验证以保护您的 API.基本身份验证只需要在您的请求中添加一个(易于计算的)附加标头:

Of course. You can store user id's in your system and use basic or digest authentication to secure your API. Basic authentication requires only one (easily computed) additional header on your requests:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

如果您使用基本身份验证或摘要式身份验证，请确保您的 API 端点受 SSL 保护，否则用户凭据很容易在空中嗅探.您也可以放弃用户身份识别，而是在结账时通过信用卡信息有效地验证用户身份，但这是一种判断力.

If you use either basic or digest authentication then make sure that your API endpoints are protected with SSL, as otherwise user credentials can easily be sniffed over-the-air. You could also fore go user identification and instead effectively authenticate the user at checkout via credit card information, but that's a judgement call.

这篇关于人们如何处理 RESTful api 的身份验证(技术不可知)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！