认证类的适当选择蟒蛇REST API由Web应用程序使用 [英] Appropriate choice of authentication class for python REST API used by web app

问题描述

我想建立一个使用Django的REST框架REST API。最初，它的客户将是一个Web应用程序，但可以想象未来的客户可能包括移动应用。

I would like build a REST API using the Django REST framework. Initially its client would be a web application, but conceivably future clients could include mobile applications.

不幸的是我发现的文档中列出的身份验证类的列表有点混乱。它看起来像 TokenAuthentication 将满足我的需求。我宁愿避免的OAuth的认知开销，除非有令人信服的安全考虑走那条路。

Unfortunately I'm finding the list of authentication classes listed in the documentation a little confusing. It looks like TokenAuthentication would meet my needs. I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.

这是我想在这个非常早期阶段获得正确的决定。任何人都可以提供任何建议吗？

This is a decision I want to get right at this very early stage. Can anyone provide any advice?

编辑：虽然希望不相关的，我想我会提我将使用的Neo4j作为后端应用程序，而不是传统的SQL数据库

Although hopefully not relevant, I thought I'd mention I'll be using Neo4j as a back-end for the application, not a conventional SQL database.

推荐答案

Django的REST框架让你有多种验证方法的灵活性。因为我有一段时间了，这将是谁也有类似的问题，未来的访客是有用的，我将概述最常用的身份验证方法的好处。

Django REST Framework gives you the flexibility of having multiple authentication methods. Since I've got some time, and it will be useful to future visitors who have similar questions, I'll outline the benefits of the most common authentication methods.

起初它的客户端将是一个Web应用程序，但可以想象未来的客户可能包括移动应用。

Initially its client would be a web application, but conceivably future clients could include mobile applications.

通常与在同一域和Django的实例作为API，大多数人使用的Web应用程序时， SessionAuthentication ，因为它使用现有的身份验证方法与服务器交互。验证无缝协作，因此你不需要去通过第二身份验证步骤。

Typically when working with web applications that are on the same domain and Django instance as the API, most people use SessionAuthentication as it interacts with the server using the existing authentication methods. Authentication works seamlessly, so you don't need to go through the second authentication step.

大多数API也支持某种形式的 BasicAuthentication ，最有可能的，因为它是最简单的来测试，还因为它是最容易实现的。为Web应用程序，这是不推荐的身份验证方法，但对于移动应用程序它的情况并不少见看到它被使用。我个人推荐一个基于令牌的认证，所以您不必担心客户拦截用户的凭据。

Most APIs also support some form of BasicAuthentication, most likely because it is the easiest to test with but also because it is the easiest to implement. For your web application, this isn't the recommended authentication method, but for your mobile application it's not uncommon to see it being used. I personally would recommend a token-based authentication, so you don't have to worry about clients intercepting user's credentials.

看起来 TokenAuthentication 将满足我的需求。

It looks like TokenAuthentication would meet my needs.

很多人用 TokenAuthentication ，因为它是相对简单的理解和使用，它似乎满足大家的需求在第一。令牌直接连接到用户，他们不自动旋转（虽然你可以让他们自动旋转），让每一个客户代表用户的工作得到相同的标记。这可能是一个问题，如果你需要撤销的道理，因为所有其他的客户端将有自己的令牌无效也是如此。

Many people use TokenAuthentication because it is relatively simple to understand and use, and it seems to meet everyone's needs at first. Tokens are directly attached to users, and they do not automatically rotate (though you can make them automatically rotate), so every client working on behalf of the user gets the same token. This can be an issue if you ever need to revoke the token, as all other clients will have their token invalidated as well.

我宁愿避免的OAuth的认知开销，除非有令人信服的安全考虑走那条路。

I would rather avoid the cognitive overhead of OAuth unless there is a compelling security reason to go that way.

2的OAuth（ OAuth2Authentication ）为您提供令牌循环和令牌到期对 TokenAuthentication 的利益之上。还有具有能够撤消个人令牌，而不影响谁是验证对用户的其他客户的利益。您也可以通过使用范围的，如果你有更经常使用比其他API的某些区域，这是有用限制客户您的API的各个领域。

OAuth 2 (OAuth2Authentication) gives you token rotation and token expiration on top of the benefits of TokenAuthentication. There's also the benefit of being able to revoke individual tokens without affecting other clients who are authenticating for the user. You can also limit clients to individual areas of your API through the use of scopes, which is useful if you have certain areas of the API that are more often used than others.

我还要提<一个href=\"http://www.django-rest-framework.org/api-guide/authentication/#json-web-token-authentication\">JSON网络令牌，因为虽然我没有用它，它已经显示出了相当多的支持渠道。它作为远工作非常类似于 TokenAuthentication 作为检索令牌，但它具有用于客户端和令牌到期独特令牌的附加益处。

I'm also going to mention JSON Web Tokens, because while I haven't used it, it's been showing up quite a bit in the support channels. It works very similar to TokenAuthentication as far as retrieving tokens, but it has the added benefit of unique tokens for clients and token expiration.

这篇关于认证类的适当选择蟒蛇REST API由Web应用程序使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！