RESTful Web服务认证 [英] Restful web service authentication

问题描述

我有一个RESTful Web服务API，正在使用由不同的第三方。该API的一部分被限制（需要用户名/密码来访问它）。我想知道什么是实施认证的最佳方式？

I have a Restful web service API, that is being used by different 3rd parties. Part of that API is restricted (you need username/password to access it). I was wondering what would be the best way of implementing authentication?

我使用HTTPS，所以通信进行加密。我有两个想法：

I'm using https, so communication is encrypted. I have two ideas:

• 的用户开始使用（限制）服务之前，它发送POST使用用户名/密码（因为HTTPS正在使用证书进行加密）。登录成功后，服务器发回与此相匹配的用户名随机单使用价值（随机数）。在做出下一个请求，沿边用户名，客户端发送previously返回随机数。服务器匹配用户名和随机数并返回沿着侧请求的数据新的随机数。每一个新的请求使用新的随机数。基本上，这是HTTP摘要认证的轻量级版本。


• 由于该API是由第3方，用户名/密码用于可使用每个（受限）的请求。由于所使用的https，则它们将被加密。这种方法的垮台是事实，这不会是（POST将始终使用）宁静的标准。

我更接近选择第一种方法（它是宁静的标准，比较容易实现，XML，JSON或HTML，可以在不改变任何使用），但我想看看你有什么看法？你有什么建议：第一，第二或第三的一些做法

I'm much closer of choosing first approach (it is Restful compliant, relatively easy to implement, XML, json or html can be used without changing anything), but I wanted to see what is your opinion? What do you recommend: first, second or some third approach?

顺便说一句，我使用Python在服务器端。

Btw, I'm using Python at server side.

推荐答案

我见过的API完成这件事（和方式我目前实施的话）的一种方法是创建一个名为会议这是通过创建发表它提供用户名和密码。

One way I've seen this done in APIs (and the way am currently implementing it) is to create a RESTful resource called Session which is created via a POST which supplies a username and password.

下面基本上是我如何实现它：

Here is basically how I've implemented it:

POST /sessions { Username: "User", Password: "Password" }

创建时间限制的会话，并返回一个包含会话密钥值和到期的会话资源。您可能还需要返回此作为实施API客户方便cookie的值。

Create an time limited session and returns the session resource which contains the session key value and expiry. You may also want to return this as a cookie value for the convenience of implementation of API clients.

DELETE /session/{id}

立即过期会话，以便它不再能使用。这是一个明确的迹象奏。

Immediately expires the session so it can no longer be used. This is used for explicit sign-outs.

然后我有用户通过查询参数连接会话密钥，虽然你也可以允许它通过一个cookie值提交，我建议允许两者。

I then have the user attach the session key via a query parameter, though you can also allow it to be submitted via a cookie value, I'd recommend allowing for both.

我这个preFER的是，它是非常简单的。

What I prefer about this is that it is extremely simple.

显然，您的方案会有所您的会议应如何管理规定，或许他们没有时间限制，并无限期地持续下去，也许他们是散列或以增加安全性加密。

Obviously your scenario will dictate somewhat how your sessions should be managed, perhaps they are not time limited and last indefinitely, and perhaps they are hashed or encrypted for added security.

如果您使用的是HTTPS无处不在，你可能并不需要太担心。但是，如果你想使用HTTP，您将需要一个密钥一起使用像哈希说时间戳来生成每个请求的安全密钥。这样你就可以分享通过HTTPS密钥，然后切换到HTTP进一步调用。即使有人设法嗅出从请求关键，这几乎可以立即到期，并没有用的。

If you are using HTTPS everywhere you probably don't need to worry too much. However, if you want to use HTTP, you will need to use something like a hash along with a secret key and say a time stamp to generate a secure key per request. This way you can share the secret key over HTTPS and then switch to HTTP for further calls. Even if someone manages to sniff out the key from a request it can expire almost immediately and be useless.

免责声明：我不是一个安全专家; - ）

Disclaimer: I am not a security expert ;-).

这篇关于RESTful Web服务认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！