REST的身份验证和HMAC /私有密钥(当我设置呢?) [英] REST authentication and HMAC/private key (when do I set it?)
问题描述
我一直用一个简单的应用程序的想法玩弄周围的最后几天,因为我想教自己REST身份验证的基本。
I've been toying around with a simple application idea the last couple of days as I'm trying to teach myself the basic of REST authentication.
到目前为止,我已经收集了的最的方式做,这是一个像亚马逊所使用的HMAC的实现。
So far I've gathered that the best way to do this is with an implementation of HMAC like the one used by Amazon.
我最关心的是究竟怎么了,我想给用户和给他们自己的私钥,使他们能够开始签署HMAC认证?我一直在阅读的用于签名的HMAC私钥不应该通过线路发送的曾经,但随后他们如何曾经把它摆在首位?
My biggest concern is with exactly how am I suppose to authenticate the user and give them their private key so they can begin signing the HMAC? I keep reading that the private key used for signing the HMAC is not supposed to be sent over the wire ever, but then how do they ever get it in the first place?
我的想法是这样的事情,但我不知道这是否是有效的。
My idea was something like this, but I am not sure if this is valid.
为用户数据库中的表:
users (simplified, this would probably be a private key per client app?)
id (their public key?)
username
password?
privatekey
假设一个HTML / JS客户端的用户将与传统的登录页面psented $ P $的POST到API的东西是这样的:
Assuming a HTML/JS client the user would be presented with a traditional login page that POST to the API with something like this:
https://example.com/myapp/api/v1/authenticate.json
POST: username / password
这将返回要么
404:User not found
200:{ "id" : <id>, "privatekey": <privatekey> }
客户端随后将存储关键的地方(将本地存储/饼干是一个安全的地方吗?),并用它来签名还要求看起来像这样
The client would then store that key somewhere (would local storage/cookie be a safe place?) and use it to sign further requests that would look like this
GET <一个href=\"https://example.com//myapp/api/v1/something/?key1=value1&publickey=\">https://example.com//myapp/api/v1/something/?key1=value1&publickey={theirID}&hmac={hmac用自己的私钥}请求签名
GET https://example.com//myapp/api/v1/something/?key1=value1&publickey={theirID}&hmac={hmac signature of the request using their private key}
服务器会再检查公钥,检索相关的私钥和重建HMAC签名,如果两者匹配,我们有一个验证的请求进行处理。
The server would then check the public key, retrieve the associated private key and rebuild the HMAC signature, if they match we have an authenticated request process it.
我会收到这个吧?我不知道我的理解私钥的角色,如果我还需要像一个密码在我的例子这样的东西告诉我,我可能是错的。
Am I getting this right? I'm not sure I understand the role of a private key if I still need a password like in my example so something is telling me that I might be wrong.
推荐答案
我觉得你需要提供有关应用程序的详细信息以及如何被使用。
有很多方法可以做REST认证。其中有些是标准的,有些不是。
这些仅仅是一些例子:
I think you need to provide more details about your application and how it will be used. There are many ways you can do REST authentication. Some of them are standard, some not. These are just some examples:
- Basic authentication over SSL
- Digest authentication
- Various kinds of token authentication (OAuth 2, SPNEGO, various STS)
- HMAC
- Client SSL Certificates
- Signed/encrypted cookies.
在亚马逊S3的情况下,他们给你AWS访问密钥当您注册。后来你的应用程序code需要知道密钥,能够计算签名(或它需要知道签名的请求/ URL)
所以,最后的秘密访问密钥是通过线路报名期间传送至少一次开始。
In case of Amazon S3, they give you "AWS secret access key" when you register. Later your application code needs to know secret key to be able to compute signatures (or it needs to know signed request/url) So ultimately "secret access key" is transmitted over the wire at least once initially during registration.
如果您使用公共密钥加密(如客户端SSL证书) - 你可以完全避免发射私钥
If you use public key cryptography (like client SSL certificates) - you can avoid transmitting private key altogether
- 您生成客户端的公钥/私钥
- 提交公钥到服务器(或证书由受信任的机构签署)
- 登入请求(或随机数)与私钥和服务器使用公开密钥验证签名。
如果你的目标是只认证到你的网站做的AJAX请求用户在登录页上验证之后 - 你可以简单地使用服务器签署的cookies
If your goal is to just authenticate AJAX requests made to your site after user has authenticated on login page - you can simply use server signed cookies.
这篇关于REST的身份验证和HMAC /私有密钥(当我设置呢?)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
