我应该如何在我的 REST API 中处理身份验证? [英] How should I handle authentication in my REST API?

问题描述

我对此很陌生，但我会尽力解释我正在尝试做的事情.

I am new to this but I will try my best to explain what I am trying to do.

我有一个产品目录和各种私人信息，我的用户希望能够通过他们的网站访问这些信息.

I have a catalog of products and various private information that my users want to be able to access via their website.

例如:

用户 a 有一个电子商务网站，他们想出售我的商品.他们将能够通过网络服务访问特定产品的详细信息.他们还将能够看到我提供给他们的协商费率以及其他一些私人详细信息.

API 应如何处理来自用户 a 网站的请求的身份验证?

How should the API handle authenticating the request that comes from User-a's website?

我一整天都在阅读有关不同身份验证方法的信息，但它们似乎都围绕着第三方访问特定用户信息的想法展开.例如，如果您让 http://randomtwitterapp.com 访问您的 Twitter 个人资料.在这种情况下，第三方站点必须管理多个不同的用户和身份验证令牌.在我们的例子中，我的用户网站代表用户进行交互.我希望这是有道理的.

I've been reading all day about different authentication methods but they all seem to revolve around the idea of a third party accessing specific user information. An example is if you let http://randomtwitterapp.com access your twitter profile. In that case, the third party site must manage multiple different users and auth tokens. In our case, my users website is interacting on behalf of the user. I hope this makes sense.

推荐答案

我们称用户 A 为Alice"，因为称她为用户 A 很麻烦.

Let's call user A "Alice" because calling her User-A is cumbersome.

将 Alice 的网站视为 Alice 本人.特价和此类特定于相关网站，因此请它登录到您的网站.颁发该网站开发人员将用来进行身份验证的凭据，然后使用这些凭据来确定您展示的定价和产品.

Treat Alice's web site as if it were Alice herself. The special pricing and such IS specific to the web site in question, so have it log into your site. Issue credentials that the person developing that site would use to authenticate with, and then use those credentials to determine the pricing and products you show.

至于实际的身份验证机制，这实际上取决于您的需求.如果你需要做的只是为不同的人提供不同的数据，你可以做一些简单的事情，比如在查询字符串中传递一个 API 令牌:http://api.example.com/products?key=9af4d8381781baccb0f915e554f8798d代码>

As for actual authentication mechanisms, it really depends on your needs. If all you need to do is serve different data to different people, you could do something as simple as an API token passed in the query string: http://api.example.com/products?key=9af4d8381781baccb0f915e554f8798d

或者，如果 Alice 已经拥有您网站的用户名和密码，您可以让她通过基本身份验证在她的 API 请求中使用这些用户名和密码.

Or if Alice already has a username and password for your site, you could have her use those in her API requests with Basic Auth.

如果 Alice 需要在她无法控制的各个站点上输入她的帐户信息，那么 oAuth 就非常方便.这样，您基本上可以为她需要访问您的 API 的每个站点提供一个 API 密钥.您可以让她删除这些 API 密钥并拒绝访问这些网站.

If Alice is going to need to enter her account information on various sites that she doesn't control, then oAuth comes in very handy. With that, you can essentially give her an API key for every site she needs to access your API from. And you give her the ability to delete those API keys and deny those sites access.

这篇关于我应该如何在我的 REST API 中处理身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！