我应该在后端还是前端进行第 3 方 API 调用? [英] Should I make 3rd party API calls in backend or frontend?
问题描述
我有一个 API,该 API 需要来自 Microsft Graph API 的一些数据.我正在考虑在我的 API 中实现一个端点来刷新令牌并使用该令牌从前端进行调用.我不知道这是最佳还是安全,因此我的问题.
I have an API and that API needs some data from the Microsft Graph API. I was thinking of implementing an endpoint in my API to refresh the token and use that token to make calls from the frontend. I don't know if that's optimal or safe, hence my question.
编辑 1:为了更好地了解我所拥有的,这是我目前的逻辑.请告诉我这是否正确.
EDIT 1: To give a better perspective of what I have, this is the logic I have at the moment. Tell me if this is correct please.
用户请求我的 API 授权端点,该端点具有 Azure 的密钥,然后用户被重定向到 Microsft oAuth 登录页面.登录 oAuth 后,Microsoft 会将用户重定向到我的 API,在那里它将 JWT 令牌保存在用户的 cookie 中,因此用户可以随时刷新令牌.
User requests my API's authorization endpoint, which has the Azure's secret key, then the user is redirected to the Microsft oAuth login page. Once logged in oAuth, Microsoft redirects the user to my API, where it saves the JWT tokens in the user's cookies, so the user can refresh the token anytime.
为了刷新令牌,用户只需调用 myapi.com/auth/microsoft/token,它有密钥,然后刷新.
In order to refresh the token, the user simply just makes a call to myapi.com/auth/microsoft/token, where it has the secret key, and it refreshes.
推荐答案
一般来说,我建议始终从后端进行第 3 方调用.它为您提供更多控制权并避免任何跨源并发症.
Generally I would recommend always making the 3rd party calls from the back end. It gives you more control and avoids any cross origin complications.
您还想了解任何 API 密钥.大多数 API 都需要密钥才能访问,而且该密钥通常是私有的,您不希望在前端共享.
You also want to be aware of any API keys. Most APIs require a key for access and often that key is private and you wouldn't want to share on the front end.
MS Azure API 有一个应用程序和秘密令牌.您不能将秘密令牌公开给客户端.要直接从客户端调用,您可以使用 OAuth 获取 JWT 令牌,然后您可以使用该令牌从 SPA 调用 MS Web API.
MS Azure APIs have an application and secret token. You cannot expose the secret token to the client. To call directly from the client you would use OAuth to get a JWT token and then you can call from the SPA into the MS Web APIs with that token.
相比之下,还有其他 3rd 方 API 被设计为只能从前端调用.例如,Stripe 是一种支付处理 API,其中 UI 可以直接调用 Stripe,然后客户端的支付信息实际上不会传递给主机应用程序,而只会传递给 Stripe.这提高了安全性.
In contrast, there are other 3rd party APIs that are designed to be called only from the front-end. Stripe for example is a payment processing API where the UI can call directly into Stripe and then the client's payment information is never actually passed to the host application, only to Stripe. This improves security.
这篇关于我应该在后端还是前端进行第 3 方 API 调用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
