使用 OAuth 进行服务器到服务器身份验证? [英] Using OAuth for server-to-server authentication?
问题描述
我目前正在努力指定我公司的新合作伙伴/公共 API,这将是一个面向资源的 RESTful Web 服务.目前缺少的部分是身份验证/授权.
I'm currently working to specify my company's new partner/public API, which will be a resource-oriented RESTful web service. The missing piece of the puzzle at the moment is authentication/authorization.
要求是:
- 最初它必须适用于服务器到服务器的环境,例如服务器应用程序必须能够识别自己,以便我们知道谁在调用 API.
- 将来,我们希望允许它模拟用户帐户,因此除了被识别的服务器外,它还将拥有代表用户帐户一段时间的令牌.
OAuth 似乎非常适合 (2) 的工作流程,即获取令牌、重定向到用户输入其凭据以对其进行授权的网站,然后使用该令牌来识别/验证应用程序和用户.
OAuth seems to be ideal for (2) with the workflow of getting a token, redirecting to the website where the user enters their credentials to authorize it, and then using that token which identifies/authenticates both the application and the user.
但是,根据我所读的内容,我不知道它是否适用于 (1) - 即有什么方法可以使用 OAuth 只是 来识别调用应用程序而无需一个有效的特定于用户的令牌,因此不需要重定向到网页供他们输入凭据?
However, from what I have read, I don't know if it is suitable for (1) - i.e. is there any way that OAuth can be used just to identify the calling application without having a valid user-specific token and thus not needing to be redirected to a web page for them to enter their credentials?
推荐答案
是的,令牌的生命周期可以设置为不过期,直到你说出来.因此,您需要(手动)完成身份验证和授权,并保存授权令牌以备后用.
Yes, the lifetime of the token can be set not to expire until you say so. So, you'd (manually) complete the authentication and authorisation, and save the authorized token for later use.
(您可以使用任何测试客户端来帮助您完成该手册部分,或当您自己实现服务器时:使用所谓的双腿 OAuth.)
(You can use any test client to help you complete that manual part, or while you're implementing the server yourself: use a so-called two-legged OAuth.)
这篇关于使用 OAuth 进行服务器到服务器身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
