使用REST API进行基本身份验证的双因素身份验证?
[英]Two Factor Authentication with Basic Auth for REST API?
问题描述
I am implementing a REST API that has both mobile application and browser based clients and users. 
我正在实现一个REST API,它同时包含移动应用程序和基于浏览器的客户端和用户。 Based on questions I've asked and previous questions here and at security.stackexchange, I have come to the conclusion that to stay as "RESTful" as I can for as long as I can, HTTP Basic Auth over SSL is sufficient for Authentication. 基于我在此处以及在security.stackexchange中提出的问题以及之前的问题,我得出的结论是,尽可能长时间保持“RESTful”,SSL基本身份验证对于身份验证已足够。 The problem is I'd also like to implement Two Factor Authentication along with it. 问题是我还想实现双因素身份验证。 Is it acceptable to add headers in the 401 Authorization header response, like username:password:token, or in a totally separate request header, but in the same payload as the basic auth response by the client? 是否可以在401 Authorization标头响应中添加标头,例如username:password:token,或者在完全独立的请求标头中,但在与客户端的基本auth响应相同的有效负载中? Since I'm using node.js + express/connect, I have access to the entire HTTP protocol stack, but want to remain as restful as possible for scalability reasons. 由于我正在使用node.js + express / connect,因此我可以访问整个HTTP协议堆栈,但出于可伸缩性的考虑,希望保持尽可能安静。 On the browser side, I guess I could do the basic auth, and if it passes, ask for the TFA token, and only if it passes consider the user authenticated. 在浏览器方面,我想我可以做基本的身份验证,如果它通过,请求TFA令牌,并且只有在它通过时才考虑用户进行身份验证。
1 个解决方案
解决方案1
6 已采纳 2013-06-11 05:21:58
You can technically make up new authentication schemes to extend from HTTP Basic Auth, but they generally won't be supported by browsers. 从技术上讲,您可以构建新的身份验证方案以从HTTP Basic Auth扩展,但浏览器通常不支持它们。 In your example, I don't believe any browser would be able to natively ask for and send username:password:token in the same way they can easily ask for username and password. 在您的示例中,我不相信任何浏览器都能够原生地要求并发送用户名:password:token,就像他们可以轻松要求用户名和密码一样。
Generally two-factor authentication schemes work by putting the user into an intermediary state using some form of sessions as you mentioned in your second example. 通常,双因素身份验证方案通过使用您在第二个示例中提到的某种形式的会话将用户置于中间状态来工作。 A user who has passed the first factor, say username/password via Basic Auth, has a session opened but not marked as really logged in until they also pass the second factor. 已通过第一个因素的用户,通过Basic Auth说出用户名/密码,会话已打开但未标记为真正登录,直到他们也传递第二个因子。 Inputting a dongle code or something like that. 输入加密狗代码或类似的东西。 Once both factors are passed their session is marked as fully logged in and they can access their account/data/whatever. 一旦两个因素都通过,他们的会话就会被标记为完全登录,他们可以访问他们的帐户/数据/其他任何内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.