使用GUID令牌REST API,而不是用户名/密码基本身份验证 [英] Basic Authentication with a Guid token for REST api instead of username/password
问题描述
我开发使用PhoneGap的与REST API的后端移动应用程序。 REST API进行不会被第三方开发商可以利用的,但将是应用特定的,所以没有必要对被实现OAUTH。因此,我打算使用基本身份验证,其中在用户输入自己的用户名/密码访问API资源。所有的API通讯将在SSL。
I am developing a mobile application using PhoneGap with REST API for the backend. The REST API won't be utilised by third-party developers, but will be application-specific, so there is no need for oAuth to be implemented. Hence, I am planning to use Basic Authentication where in the User enters their Username/password to access the API resources. All API communication will be on SSL.
而不是让应用程序商店的用户名/密码,每个请求的API发送的,我宁愿认证的第一个登录请求的用户名/密码,并发送一个GUID令牌回来。客户端存储此GUID的令牌,并通过授权头每个请求,这样发送令牌回API:
Instead of letting the application store the username/password and send it with every request to the API, I would rather authenticate username/password on the first login request and send a GUID token back. The client stores this GUID token and sends the token back to the API with each request through the Authorization header, like this:
授权:基本e1d9753f-a508-46cc-a428-1787595d63e4
Authorization: Basic e1d9753f-a508-46cc-a428-1787595d63e4
在服务器端,用户名/ GUID组合将存储与设备设置沿有效期限在服务器上。这将允许跟踪用户已从以及记录在设备的数量的到期的会话,一旦的Guid达到期满
On the server side, the username/GUID combination will be stored on the server with a expiration date along with device settings. This will allow to keep track of the number of devices a user has logged in from as well as expire the session once the Guid has reached expiration.
这是否进场声合理和安全?
Does this approach sound reasonable and secure?
推荐答案
一般的身份验证令牌用的做法是非常好的,但你不应该试图在不同的方式基本身份验证的工作比它应该是(毕竟它是一个定义的标准)。你应该宁愿用自己的头进行身份验证。你可以在这里找到这样的场景的一个很好的说明:
The general "Authentication with Token" approach is very good but you shouldn't try to make Basic Authentication work in different way than it is supposed to (after all it is a defined standard). You should rather use your own header for authentication purposes. You can find a very good description of such scenario here:
- Making your ASP.NET Web API’s secure
这篇关于使用GUID令牌REST API,而不是用户名/密码基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!