Appropriate choice of authentication class for python REST API used by web app [英] Appropriate choice of authentication class for python REST API used by web app

查看:16
本文介绍了Appropriate choice of authentication class for python REST API used by web app的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想使用 Django REST 框架构建一个 REST API.最初它的客户端是一个网络应用程序,但可以想象未来的客户端可能包括移动应用程序.

I would like build a REST API using the Django REST framework. Initially its client would be a web application, but conceivably future clients could include mobile applications.

不幸的是,我发现文档中列出的身份验证类列表有点令人困惑.看起来 TokenAuthentication 可以满足我的需求.除非有令人信服的安全理由,否则我宁愿避免 OAuth 的认知开销.

Unfortunately I'm finding the list of authentication classes listed in the documentation a little confusing. It looks like TokenAuthentication would meet my needs. I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.

这是我想在这个非常早期的阶段做出正确的决定.任何人都可以提供任何建议吗?

This is a decision I want to get right at this very early stage. Can anyone provide any advice?

虽然希望不相关,但我想我会提到我将使用 Neo4j 作为应用程序的后端,而不是传统的 SQL 数据库.

Although hopefully not relevant, I thought I'd mention I'll be using Neo4j as a back-end for the application, not a conventional SQL database.

推荐答案

Django REST Framework 为您提供了拥有多种身份验证方法的灵活性.由于我有一些时间,这对以后有类似问题的访问者很有用,我将概述最常见的身份验证方法的好处.

Django REST Framework gives you the flexibility of having multiple authentication methods. Since I've got some time, and it will be useful to future visitors who have similar questions, I'll outline the benefits of the most common authentication methods.

最初它的客户端是一个网络应用程序,但可以想象未来的客户端可能包括移动应用程序.

Initially its client would be a web application, but conceivably future clients could include mobile applications.

通常,当使用与 API 位于同一域和 Django 实例的 Web 应用程序时,大多数人使用 SessionAuthentication,因为它使用现有的身份验证方法与服务器交互.身份验证可无缝运行,因此您无需执行第二个身份验证步骤.

Typically when working with web applications that are on the same domain and Django instance as the API, most people use SessionAuthentication as it interacts with the server using the existing authentication methods. Authentication works seamlessly, so you don't need to go through the second authentication step.

大多数 API 还支持某种形式的 BasicAuthentication,很可能是因为它最容易测试,也因为它最容易实现.对于您的 Web 应用程序,这不是推荐的身份验证方法,但对于您的移动应用程序,使用它的情况并不少见.我个人会推荐基于令牌的身份验证,这样您就不必担心客户端会拦截用户的凭据.

Most APIs also support some form of BasicAuthentication, most likely because it is the easiest to test with but also because it is the easiest to implement. For your web application, this isn't the recommended authentication method, but for your mobile application it's not uncommon to see it being used. I personally would recommend a token-based authentication, so you don't have to worry about clients intercepting user's credentials.

看起来 TokenAuthentication 可以满足我的需求.

It looks like TokenAuthentication would meet my needs.

很多人使用TokenAuthentication是因为它比较容易理解和使用,而且一开始似乎可以满足大家的需求.令牌直接附加到用户身上,它们不会自动轮换(虽然你可以让它们自动轮换),所以每个客户端代表用户工作获得相同的令牌.如果您需要撤销令牌,这可能会成为一个问题,因为所有其他客户端的令牌也会失效.

Many people use TokenAuthentication because it is relatively simple to understand and use, and it seems to meet everyone's needs at first. Tokens are directly attached to users, and they do not automatically rotate (though you can make them automatically rotate), so every client working on behalf of the user gets the same token. This can be an issue if you ever need to revoke the token, as all other clients will have their token invalidated as well.

除非有令人信服的安全理由,否则我宁愿避免 OAuth 的认知开销.

I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.

OAuth 2 (OAuth2Authentication) 除了 TokenAuthentication 的好处外,还为您提供令牌轮换和令牌过期.还有一个好处是能够撤销单个令牌而不会影响为用户进行身份验证的其他客户端.您还可以通过使用范围将客户端限制到 API 的各个区域,如果您的 API 的某些区域比其他区域更常用,这将非常有用.

OAuth 2 (OAuth2Authentication) gives you token rotation and token expiration on top of the benefits of TokenAuthentication. There's also the benefit of being able to revoke individual tokens without affecting other clients who are authenticating for the user. You can also limit clients to individual areas of your API through the use of scopes, which is useful if you have certain areas of the API that are more often used than others.

我还要提到 JSON Web Tokens,因为虽然我没有使用过它,但它已经在支持渠道中出现了很多.就检索令牌而言,它的工作方式与 TokenAuthentication 非常相似,但它具有客户端唯一令牌和令牌到期的额外好处.

I'm also going to mention JSON Web Tokens, because while I haven't used it, it's been showing up quite a bit in the support channels. It works very similar to TokenAuthentication as far as retrieving tokens, but it has the added benefit of unique tokens for clients and token expiration.

这篇关于Appropriate choice of authentication class for python REST API used by web app的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆