RESTful 用户认证服务 [英] RESTful user authentication service
问题描述
大家好,这似乎经常被讨论,但我想提出一个关于使用 RESTful 服务进行身份验证的简单、淡化的问题.场景如下:
Hey folks, this seems to have been discussion fairly often but I want to make a simple, watered down question around doing authentication with RESTful services. The scenario is as follows:
- 有一个系统可以容纳应用程序的注册用户.系统公开了用于访问这些用户的 RESTful API.
- 有一个带有登录表单的前端应用程序.应用程序可以是内部的,也可以是外部的.
- 前端应用程序需要使用用户系统中的数据对用户进行身份验证.
现在的问题是如何根据用户系统中的数据对在客户端应用程序中输入其凭据(用户名/密码)的用户进行身份验证,以确保其安全且高效?对于这个问题,假设客户端应用程序在某种 Intranet 内部,但应用程序不会驻留在同一台机器上,并且可能只能通过服务进行通信.
The question now is how to authenticate a user whose credentials (username/password) are entered in the client application against the data in the User system such that it is secure and performant? For the sake of this question, suppose the client application is internal to some sort of Intranet but the applications will not reside on the same machine and may only communicate through the service.
我理解让应用程序成为超媒体驱动"的想法,但我们应该能够提供过滤/搜索服务.例如,考虑如下资源和 API:
I understand the idea of having the application being "hypermedia driven" but we should be able to provide filtering/searching services. For example, consider the resources and API as below:
- http://example.com/users
- GET - 检索所有用户(分页、超媒体驱动)
- POST - 创建新用户
- 不支持PUT/DELETE
- GET - 返回 id = {id} 的用户的完整表示
- PUT - 更新用户,接受任何预定义的媒体类型
- DELETE - 删除用户(具有适当的授权)
- 不支持POST
基于上述内容,我的想法是让客户端应用程序在用户列表上获取 GET,并按用户名进行过滤.服务将散列的密码和盐返回给客户端,客户端将执行身份验证.
Based on the above, my idea would be have the client application GET on the user listing, filtering by username. The service will return the hashed password and salt to the client, the client will perform the authentication.
想法?
推荐答案
如果我正确理解您的问题,您希望实现一个通用服务来处理身份验证,以便您可以将其重用于不同的应用程序.
If I understand your question correctly, you are looking to implement a generic service that will handle authentication, so that you can re-use it for different applications.
我建议你看看 OAuth,它正是为这个问题域而构建的.
I suggest you take a look at OAuth which has been built for precisely this problem domain.
这篇关于RESTful 用户认证服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
