Rest API 认证机制,怎么做 [英] Rest API authentication mechanism, what to do
问题描述
我最近阅读了很多关于 WEB API 身份验证机制的文章,但我对如何实现我的 Web API 身份验证机制有点困惑,我正在考虑使用基于令牌的身份验证,但我不确定这是正确的选择.
I've been reading a lot lately about WEB API authentication mechanisms and I'm a little bit confused regarding how to implement my Web API authentication mechanism, I'm thinking on using Token based authentication but I'm not sure if it is the right choice.
基本上,我的 Web API 将管理所有需要的操作,它会存储我网站的用户以及 API 用户(以防他们必须分开).
Basically my Web API will manage all the operations needed and it will store the users of my website as well the API users(in case they have to be separated).
我想支持以下内容
用户可以使用他们的 G+ 或 Facebook 帐户或从我的服务中创建的用户名在我的网站和应用程序上注册,并且他们将使用他们的社交帐户登录.如果用户未登录,他们将无法发布项目,但他们将能够看到项目,例如 Craiglist.假设用户是一名开发人员,他们想通过他们创建的某些软件发布项目,而不是通过网站一次发布一个项目,我该如何允许?现在,我的问题是:1)当用户在我的网站上注册时,我是否必须为它创建一个(公钥/私钥)随后的访问令牌,以便我可以使用我的网站 API 作为用户检查他们是否可以访问某些端点?
User can register on my website and apps using their G+ or Facebook account or an already created username from my service, as well they will be to login using their social account. If the user is not logged in they won't be able to post Items but they will be able to see the Items, think something like Craiglist. Let's say the user is a developer and they want to post the items through some software they created instead of going through the website and posting one item at a time, how do I allow this? Now, my questions are: 1) When a user registers on my website, do I have to create a (public key/ secret key) for it subsequent access token , so I can use my API from the website as the user checking if they have access to certain endpoints?
2) 我是否必须为我的网站分配一个(公钥/私钥),以便在用户未登录时使用 API?
2) Do I have to assign a (public key / secret key) for my website so I can consume the API when the user is not logged in?
3) 移动应用同上
4) 我如何允许用户使用 G+ 或 Facebook(注册/登录)?如果他们使用任何社交网络登录,我将如何保护我的 api?
4) How do I allow users to (sign up / sign in) using G+ or Facebook?, if they log in using any social network how am I going to secure my api?
请,任何答案将不胜感激.
Please, any answer will be really appreciated.
谢谢
推荐答案
对于 ASP.NET Web API 2,我建议您使用默认的 Owin OAuth2 身份验证.这是一种标准形式的身份验证,有足够的记录.如果您对 OAuth2 没有足够的了解,请阅读 RFC.
For ASP.NET Web API 2, I would recommend you to use the default Owin OAuth2 authentication. It's a standard form of authentication well documented enough. If you do not have enough knowledge about OAuth2, read the RFC.
在 Web API 2 中,ASP.NET 转向了一种新的安全模型,称为 ASP.NET Identity.这真的很好 视频 解释了基础知识.重点是从头开始,忽略传统的基本、表单或 Windows 身份验证.
With Web API 2, ASP.NET moved to a new security model, called ASP.NET Identity. There is this really good video that explains the basics. The point is that starts from scratch, ignoring traditional basic, forms, or windows authentication.
ASP.NET 网站上有很多学习资料.对于本地个人帐户(问题 #1、#2 和 #3),请查看此 教程 - 这里基本上你自己的服务器将充当 OAuth 授权服务器,Owin OAuth2 实现将负责生成访问令牌并对其进行身份验证.由于您将使用 OAuth 2 标准,因此移动设备也基本相同.
A lot of learning material is on the ASP.NET website. For local, individual accounts (questions #1, #2, and #3), look through this tutorial - here basically your own server will act as an OAuth authorization server, and the Owin OAuth2 implementation will take care of generating access token and authenticating them. Since you'll be using the OAuth 2 standard, it will be basically the same for mobile as well.
对于外部帐户(问题 #4),请通读此教程.有用于主要提供商的第三方身份验证的官方库:
For external accounts (question #4), read through this tutorial. There are official libraries for third-party authentication for the major providers:
- Microsoft.Owin.Security.Facebook
- Microsoft.Owin.Security.Google
- Microsoft.Owin.Security.Twitter
- Microsoft.Owin.Security.MicrosoftAccount
了解更多信息并了解新的OWIN 规范,描述了如何为 .NET 框架和 Katana 项目(微软的 OWIN 实现)创建网络应用.
It would helpful to also learn more and understand the new OWIN specification, that describes how web apps need to created for the .NET framework, and the Katana project (Microsoft's OWIN implementation).
这篇关于Rest API 认证机制,怎么做的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
