我如何实现身份验证使用RESTful方式？ [英] How do I implement authentication the restful way?

问题描述

我的web应用程序谷歌应用程序引擎使用python构建一个图片日记。用户可以注册并上传图片，将其日记。

I'm building a picture diary on web application google app engine using python. Users can sign up and post pictures to their diary.

另外，我试图尽我所能，符合做事情的REST架构。

Also, I'm trying to conform as much as I can to the REST architecture of doing things.

认证方案是基于这样的Web应用程序：结果
1.帖子的用户名/从前台结果密码
2.后端设置了一个cookie，如果认证成功结果
3. AJAX的REST调用取得使用该cookie进行身份验证。

The authentication scheme is based like this for the web application:
1. Post username/password from the frontend
2. Backend sets up a cookie if authentication is successful
3. The rest of the AJAX calls made are authenticated using this cookie.

有什么办法，以符合REST，而不使用cookie？

Is there any way to conform to REST without using cookies ?

现在，我也建立一个Android应用程序，用户可以登录和后/查看他们的图片日记。我需要公开的Web应用程序的数据存储中的数据，所以我将建立一个web服务从数据存储中获取数据。

Now, I'm also building an android application where users can sign in and post/view their picture diary. I need to expose the data from web application's datastore so I'll be building a webservice to fetch data from the datastore.

对于Android客户端的身份验证方案：结果
  OPTION一个结果
1.帖子的用户名/密码通过HTTPS Web服务结果
2. Web服务返回一个唯一的授权令牌（存储在数据存储的用户名/密码表中的令牌）结果
3.加入此令牌请求结果的请求头请求后续服务
4.服务器如果令牌发现结果标记映射到用户名/密码表，并返回数据
5.授权令牌的一段时间后失效

The authentication scheme for the android client:
OPTION a
1. Post username/password over https to the web service
2. Web service returns a unique authorization token (store the token in the username/pwd table on the datastore)
3. Request subsequent services by adding this token to the Request Header of the request
4. Server maps the token to the username/pwd table and returns data if token is found
5. Authorization token expires after a certain period of time

B选项结果
1.设置在客户端和服务器端搜索秘密密钥
2.使用：在每个请求结果的授权头用户名密码和密钥的哈希值
3.服务器生成通过提取从使用相同的散列算法散列值的密码的密码;如果成功返回数据结果
顺便说一句，我没有想使用基本的授权，因为它的安全漏洞。

OPTION b
1. Set up a secret key on the client and server side
2. Use "username:hash of password and secret key" in the authorization header of every request
3. server generates the password by extracting the password from the hash value using the same hash algorithm ; if successful returns data
btw, I didn't wanna use basic authorization because of its security vulnerabilities.

哪家好？

还有其他显著更好的方式来完成我想要做什么？安全是我非常关注的问题顺便说一句。结果
我倒是AP preciate如果任何人有任何深入了解这个问题。谢谢。

Are there other significantly better ways to accomplish what I'm trying to do ? Security is quite a concern for me btw.
I'd appreciate if anyone has any insight into this issue. thanks.

我一直在做一些研究，我自己作为这将是最好的解决办法。我觉得两方模式OAuth可能在我的案件作为工作的建议Leonm。结果
在这种情况下，服务器必须提供客户与消费者键/秘密，那在我的情况是在应用程序中硬codeD。

I've been doing some research myself as to what would be the best solution. I think the 2-legged oauth might work in my case as Leonm suggested.
In this case the server has to provide the client with a consumer key/secret which in my case is hardcoded in the app.

的步骤现在会是：结果
1.生成使用oauth_parameters（CONSUMER_KEY，signature_method，时间戳），请求的URL，请求参数和秘密的签名。结果
2.提出请求时包括签名，OAuth的参数。结果
3.服务器通过再次生成签名除了在这种情况下，验证请求，它使用对应于该密钥的密

The steps now would be:
1. Generate a signature using the oauth_parameters(consumer_key, signature_method, timestamp), request url, request parameters, and the SECRET.
2. Include the signature, oauth parameters when making a request.
3. Server verifies the request by generating the signature again except in this case it uses the SECRET that corresponds to the key

我觉得这样我pretty多确认的REST原则。该服务器是statless我到目前为止，我现在明白了。

I think this way I am pretty much confirming to the REST principles. The server is statless as I far I understand now.

什么是做事这种方式的优点/缺点是什么？

What are the pros/cons on doing things this way?

推荐答案

如果担心安全问题，那么我会说，你会好得多了使用开放标准和一个图书馆，实现你想要什么。造成这种情况的主要原因是，如果你自己做，你很可能会忘记的事;这些标准已经有很多眼睛看着他们，找漏洞。

If "security is a concern" then I would say that you'd be a lot better off using open standards and a library to achieve what you want. The main reason for this is that if you do it yourself, you're very likely to forget something; these standards have had a lot of eyes looking at them, looking for holes.

您选择包括（增加复杂程度）

Your options include (in increasing level of complexity)

一切是加密的，这使得不可能玉米preSS或调查，它稍微增加了开销，在服务器上使用更多的马力，并且在客户端上更可能是电池供电。容易实现，因为它很好地库支持。

Everything is encrypted, which makes it impossible to compress or look into, it increases the overhead somewhat, using more horsepower on the server, and more perhaps battery power on the client. Simple to implement, since it's well supported by libraries.

未加密的信息传递线，而认证在授权头安全管理。请参阅维基百科条目了解详情。

Unencrypted messages pass the wire, but the authentication is securely managed in the Authorization headers. See the wikipedia entry for more information.

请参阅如何谷歌是用于安装的应用程序提供的OAuth。我相信这是不是你要找的东西，因为你不问共享应用程序之间的数据，只是验证用户身份。

See how Google is providing OAuth for installed applications. I believe it isn't what you're looking for, since you're not asking to share data between applications, just authenticating users.

如果你想推出自己的，我建议看着如谷歌的如何（现德precated？）的ClientLogin 使用工作。

If you want to roll your own, I suggest looking at e.g. how Google's (now deprecated ?) ClientLogin used to work.

1. 客户会得到一个受保护的资源，并获得与指令401执行的GoogleLogin验证，包括一个URI对于那些执行登录本身


2. 客户端（知道如何做到这一点）发表以特定的方式请求该URI


3. 服务器用包括（长）标记
特定的响应响应

4. 客户端现在可以执行GET请求与令牌保护的资源。

1. Clients would GET a protected resource, and get a 401 with instructions to perform a GoogleLogin authentication, including a URI for where to perform the login itself
2. Clients (knowing how to do this) POST a request in a specific manner to that URI
3. The server responds with a specific response including a (long) token
4. The client can now perform GET requests to the protected resource with that token.

您举休息，这决定了请求，没有特别依赖于之前的互动：......从客户端到服务器的每个请求都必须包含所有必要了解请求的信息，并且不能采取任何存储环境的优势服务器。 （<一href=\"http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm#sec_5_1_3\">fielding)这意味着一个服务器不应该存储会话上下文（如认证令牌）在表中。

Statelessness

You cite REST, which dictates that requests should not specifically depend on prior interaction: "... each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server." (fielding) This means that a server shouldn't store conversational context (like an authentication token) in a table.

定影此的一种方式是通过使用任何令牌基础的方法（其中，所述服务器通知客户端关于令牌应该为未来的请求使用），其中该标记是不是随机数，但是一个消息到服务器本身。为了保护自己免受篡改客户端，就可以签署，如果你害怕客户看着它，你可以对它进行加密。

One way of fixing this is by using any of the token based approaches (where the server tells the client about a token it should use for future requests) where the token is not a random number, but a message to the server itself. To protect yourself from client tampering, it can be signed, and if you're afraid of clients looking at it, you can encrypt it.

编辑：虽然我不能肯定，似乎不太可能，谷歌已经发行过的所有认证令牌的表;他们的令牌的长度表明令牌是一些加密的消息证明，谁拥有此令牌实际上是在一段时间内提供了一定的境界真正的凭据。

Although I'm not certain, it seems unlikely that Google has a table of all authentication tokens ever issued; The length of their tokens suggests that the token is some encrypted message proving that whoever holds this token actually provided real credentials in some realm at some time.

这篇关于我如何实现身份验证使用RESTful方式？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！