RESTful API 认证 [英] RESTful API Authentication

问题描述

我在 SO 上发现了很多关于此主题的问题，但找不到任何答案:

I have found quite a few questions on this topic on SO, but couldn't find any answering this question:

我应该使用用户名和密码还是 API 密钥来验证用户?以及每种方法的优缺点是什么.

Should I validate users with their username and password, or with an API key? And what are the pros and cons of each method.

我之所以这么问，是因为在我的 API 中，有几种方法我想锁定并验证用户是否有权访问某些文档或操作.我有点不愿意通过让用户发送带有他们的用户名和密码的 HTTP AUTH 标头来进行身份验证，因为它感觉不安全并且对用户来说有点麻烦.但是，另一方面，如果我使用 API 密钥，那么用户创建密码的意义何在?因为他们将不再使用它来访问 API 的功能.

I ask this because in my API, there are a couple of methods I'd like to lock down and verify that the user has access to some document or action. I'm a bit reluctant to authenticate by having the user send an HTTP AUTH header with their username and password because it feels unsecured and a bit more of a hassle for the user. On the other hand, though, if I use an API key, what's the point of the user ever creating a password? As they will no longer be using it to access features of the API.

更新

如果其他读者对我最终使用的东西感到好奇，我决定复制亚马逊如何进行验证(很好的解释 此处:https://www.ida.liu.se/~TDP024/labs/hmacarticle.pdf)

If other readers of this are curious what I ended up using, I decided to copy how Amazon does their validation (good explanation here: https://www.ida.liu.se/~TDP024/labs/hmacarticle.pdf)

推荐答案

您可以使用基于 SSL 的 HTTP 身份验证，这已经足够安全了.然而，它使 API 的使用有点困难，因为它需要客户端库支持 SSL.如果您预计同时调用过多，SSL 也会影响性能.

you can use HTTP Authentication over SSL and that's secure enough. However it makes consumption of API a bit difficult as it requires the client library to support SSL. SSL can affect the performance too if you're expecting too many calls simultaneously.

API 密钥选项与没有 SSL 的 HTTP 身份验证一样不安全.如果您不关心安全性，那么 API 密钥对于 API 的使用者来说是最简单的.

API key option is just as insecure as HTTP Authentication without SSL. If you're not concerned with security then API Key is the easiest for consumers of the API.

这篇关于RESTful API 认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！