REST API 身份验证令牌 [英] REST API authentication tokens

问题描述

我正在从头开始构建我的第一个 REST API，并试图了解处理 API 令牌的最佳方式.我不是在谈论用户身份验证"(我会为此使用 OAuth).我指的是应用程序用来标识自己的公共/私有令牌，以便我的 API 可以首先决定是否允许应用程序使用该 API.

I'm building my first REST API from scratch and am trying to understand the best way to handle API tokens. I'm not talking about "user authentication" (I would be using OAuth for that). I'm talking about public/private tokens that an application uses to identify itself so that my API can decide whether or not the application is allowed to use the API in the first place.

有些 API 资源可供任何拥有有效令牌的人使用，有些资源需要 OAuth 身份验证.我将通过 HTTPS 与 API 通信，但我仍然想确保我遵循某种标准来来回传递令牌.

Some API resources will be available to anyone with valid token(s), and some will require OAuth authentication. I will be communicating with the API over HTTPS, but I still want to make sure I am following some sort of standard for passing tokens back and forth.

推荐答案

你实际上是在谈论用户身份验证，信不信由你.

You actually are talking about user authentication, believe it or not.

我说的是应用程序用于的公共/私有令牌标识自己，以便我的 API 可以决定是否首先允许应用程序使用该 API.

I'm talking about public/private tokens that an application uses to identify itself so that my API can decide whether or not the application is allowed to use the API in the first place.

这就是用户身份验证 - 只是用户"是调用您的 API 的应用程序.

That's user authentication - it's just that the "user" is the application calling your APIs.

如果 OAuth 不足以满足您的所有需求(并且可能，您应该检查一下！)，您不应该开始向 HTTPS 添加另一种自定义身份验证方法.相反，站在巨人的肩膀上并使用基本身份验证，因为这就是它的用途.您的工具、系统管理员和 API 客户会为此感谢您.

If OAuth isn't enough to do everything you need (and it might, you should check!), you shouldn't start adding yet another custom authentication method to HTTPS. Instead, stand on the shoulders of giants and use Basic Authentication, because that's what it's for. Your tools, sysadmins and API clients will thank you for it.

这篇关于REST API 身份验证令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！