如何通过更多的数据,以宁静的API基本身份验证 [英] How to pass additional data to restful API Basic authentication
问题描述
我开发了一个项目,我的第一个宁静的API。
I am developing my first restful API for a project.
我的理解,并已得到了基本身份验证才能正常工作,使用格式基本用户名:密码其中用户名:密码为Base64编码的连接codeD
I understand and have gotten the basic authentication to work properly, using the format Basic username:password where username:password is Base64 encoded.
目前,我们在密码字段传递了用户名字段中输入用户的电子邮件地址和密码。
Currently, we pass a user's email address in the 'username' field and their password in the 'password' field.
的问题是,在电子邮件地址不在该应用程序是唯一的。它是应用程序中的每个组织是唯一的。
The problem is that the email address is not unique in the application. It is unique per Organisation within the application.
因此,为了使用户登录成功,我们需要另一个值传递给这表明组织是什么样的API(的想法是继续沿着这条将用于查找组织一键通)
So in order to log the user in successfully, we need to pass another value to the API which indicates what the organisation is (the idea would be to pass along a key that would be used to look up the organisation)
我的问题是,基本的身份验证过程中只允许你传递两个值(用户名,密码),而我需要通过三种。有没有一种方法更多的数据传递到基本的认证过程?或者我必须使用一些其他类型的身份验证,以实现这一目标?
My issue is that the basic authentication process only allows you to pass two values (username,password), whereas I need to pass three. Is there a way to pass more data to the basic authentication process? Or do I have to use some other type of authentication to achieve this?
我的想法是修改基本身份验证,以便它有三个值,例如:用户名:密码:orgkey
我不知道这是否是允许或违背了协议的基本身份验证,但?
My idea was to modify the basic authentication so that it takes three values, for example: username:password:orgkey I don't know if that is allowed or goes against the protocol for basic authentication though?
虽然这个问题确实是独立的语言,因为我使用ColdFusion和塔菲插件的记录。
Although this question really is language independent, for the record I am using Coldfusion and the Taffy plugin.
任何指导,将AP preciated。
Any guidance would be appreciated.
感谢
推荐答案
基本身份验证不是为保护Web API的一个很好的协议,我试着在我的答案的这里和这里。
Basic authentication is not a good protocol for securing web APIs as I tried to explain in my answers here and here.
这没关系,以支持它的东西像自动化测试等,但我不会在生产中使用它。你将有一个很难保持的密码保密既不的JavaScript也不移动客户端可以信任保守秘密。
It's okay to support it for things like test automation etc, but I would not use it in production. You will have a hard time keeping the password secret as neither JavaScript nor mobile clients can be trusted to keep secrets.
这我不清楚为什么电子邮件地址不跨组织的唯一。你是不是以后发送部分at符号(@)?
It's not clear to me why email addresses are not unique across organizations. Are you not sending the part after the at-sign ('@')?
您不能在基本的身份验证凭据领域引入另一个领域。据 RFC7235 ,证书字段只能包含:
You cannot introduce another field in the basic authentication credentials field. According to RFC7235, the credentials field can only contain:
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
我要寻找到一个安全令牌基于身份验证方案如使用 JWT令牌。
这篇关于如何通过更多的数据,以宁静的API基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
