使用用于 REST api 的 Guid 令牌而不是用户名/密码的基本身份验证 [英] Basic Authentication with a Guid token for REST api instead of username/password

问题描述

我正在使用 PhoneGap 和后端的 REST API 开发移动应用程序.REST API 不会被第三方开发人员使用，但将是特定于应用程序的，因此不需要实施 oAuth.因此，我计划使用基本身份验证，其中用户输入他们的用户名/密码来访问 API 资源.所有 API 通信都将通过 SSL.

I am developing a mobile application using PhoneGap with REST API for the backend. The REST API won't be utilised by third-party developers, but will be application-specific, so there is no need for oAuth to be implemented. Hence, I am planning to use Basic Authentication where in the User enters their Username/password to access the API resources. All API communication will be on SSL.

与其让应用程序存储用户名/密码并将其与每个请求一起发送到 API，我宁愿在第一次登录请求时验证用户名/密码并发送回 GUID 令牌.客户端存储此 GUID 令牌并通过 Authorization 标头将令牌随每个请求发送回 API，如下所示:

Instead of letting the application store the username/password and send it with every request to the API, I would rather authenticate username/password on the first login request and send a GUID token back. The client stores this GUID token and sends the token back to the API with each request through the Authorization header, like this:

授权:基本 e1d9753f-a508-46cc-a428-1787595d63e4

Authorization: Basic e1d9753f-a508-46cc-a428-1787595d63e4

在服务器端，用户名/GUID 组合将与设备设置一起存储在服务器上，并带有到期日期.这将允许跟踪用户登录的设备数量，并在 Guid 过期后使会话过期.

On the server side, the username/GUID combination will be stored on the server with a expiration date along with device settings. This will allow to keep track of the number of devices a user has logged in from as well as expire the session once the Guid has reached expiration.

这种方法听起来合理且安全吗?

Does this approach sound reasonable and secure?

推荐答案

您根本不需要创建自定义标头或身份验证方案.

There is no need for you to create custom headers or authentication schemes at all.

Bearer 身份验证方案专为您的用例而设计:

The Bearer authentication scheme is designed exactly for your use case:

Authorization: Bearer e1d9753f-a508-46cc-a428-1787595d63e4

Basic 认证必须如下:

Authorization: Basic base64EncodedUsernameAndPassword

其中 base64EncodedUsernameAndPassword 等于以下输出:

where base64EncodedUsernameAndPassword is equal to the output of:

base_64_encode(username + ':' + raw_password)

如果尾随文本值不是上述精确算法，请勿使用 Basic.

Do not use Basic if the trailing text value is not the above exact algorithm.

如果您只想在方案名称后放置任何您想要的值，请使用 Bearer 方案 - 这就是它的发明目的.

If you just want to put whatever value you want after the scheme name, use the Bearer scheme - that is what it was invented for.

虽然您可以使用简单的 GUID/UUID 作为令牌，但这并不是真正的安全令牌.考虑使用 JWT 代替.JWT 可以进行数字签名并分配一个 TTL，以便只有服务器设置才能 a) 创建它并验证其真实性，以及 b) 确保它的使用时间不会超过允许的时间.虽然这对于基于 GUID 存储的数据可能是正确的，但 JWT 方法不需要服务器状态 - 因此它的扩展性要好得多 - 并完成相同的事情.

While you can use a simple GUID/UUID as your token, this isn't really a secure token. Consider using a JWT instead. JWTs can be digitally signed and assigned a TTL so that only the server setting it can a) create it and validate its authenticity and b) ensure it is not used longer than is allowed. While this may be true of your data stored based on the GUID, the JWT approach does not require server state - so it scales far better - and accomplishes the same thing.

这篇关于使用用于 REST api 的 Guid 令牌而不是用户名/密码的基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！