[英]Flask login together with client authentication methods for RESTful service
Here is the situation: 情况如下:
We use Flask for a website application development.Also on the website sever, we host a RESTful service. 我们使用Flask进行网站应用程序开发。此外,在网站服务器上,我们还托管RESTful服务。 And we use Flask-login for as the authentication tool, for BOTH the web application access and the RESTful service (access the Restful service from browsers). 我们使用Flask-login作为身份验证工具,同时使用Web应用程序访问和RESTful服务(从浏览器访问Restful服务)。
Later, we find that we need to, also, access the RESTful from client calls (python), so NO session and cookies etc. This gives us a headache regarding the current authentication of the RESTful service. 后来,我们发现我们还需要从客户端调用(python)访问RESTful,因此没有会话和cookie等。这使我们对RESTful服务的当前身份验证感到头痛。
On the web, there exist whole bunch of ways to secure the RESTful service from client calls. 在网络上,存在多种方法来保护RESTful服务免受客户端调用的侵害。 But it seems no easy way for them to live together with our current Flask-login tool, such that we do not need to change our web application a lot. 但是,让他们与我们当前的Flask-login工具一起生活似乎并不容易,因此我们无需大量更改Web应用程序。
So here are the question: 所以这是一个问题:
Is there a easy way(framework) so the RESTful services can support multiple authentication methods(protocols) at the same time. 是否有一种简单的方法(框架),以便RESTful服务可以同时支持多种身份验证方法(协议)。 Is this even a good practice? 这甚至是个好习惯吗?
Many thanks! 非常感谢!
So, you've officially bumped into one of the most difficult questions in modern web development (in my humble opinion): web authentication. 因此,您正式碰到了现代Web开发中最困难的问题之一(以我的拙见):Web身份验证。
Here's the theory behind it (I'll answer your question in a moment). 这是背后的理论(稍后我会回答您的问题)。
When you're building complicated apps with more than a few users, particularly if you're building apps that have both a website AND an API service, you're always going to bump into authentication issues no matter what you're doing. 当您使用多个用户构建复杂的应用程序时,尤其是当您构建同时具有网站和API服务的应用程序时,无论您在做什么,总是会遇到身份验证问题。
The ideal way to solve these problems is to have an independent auth service on your network. 解决这些问题的理想方法是在网络上拥有独立的身份验证服务。 Some sort of internal API that EXCLUSIVELY handles user creation, editing, and deletion. 某种内部API专门处理用户的创建,编辑和删除。 There are a number of benefits to doing this: 这样做有很多好处:
Overall, authentication is really hard. 总体而言,身份验证真的很难。
For the past two years I've been the CTO at OpenCNAM, and we had the same issue (a website and API service). 在过去的两年中,我一直担任OpenCNAM的CTO,我们遇到了同样的问题(网站和API服务)。 For us to handle authentication properly, we ended up building an internal authentication service like described above, then using Flask-Login to handle authenticating users via the website, and a custom method to authenticate users via the API (just an HTTP call to our auth service). 为了使我们能够正确处理身份验证,我们最终构建了如上所述的内部身份验证服务,然后使用Flask-Login通过网站处理对用户进行身份验证,以及使用自定义方法通过API对用户进行身份验证(仅是对我们auth的HTTP调用)服务)。
This worked really well for us, and allowed us to scale from thousands of requests to billions (by isolating each component in our stack, and focusing on user auth as a separate service). 这对我们来说确实非常有效,并且使我们能够从数千个请求扩展到数十亿个请求(通过隔离堆栈中的每个组件,并将用户身份验证作为单独的服务作为重点)。
Now, I wouldn't recommend this for apps that are very simple, or apps that don't have many users, because it's more hassle than it's worth. 现在,对于非常简单的应用程序或没有太多用户的应用程序,我不建议您这样做,因为它比它的价值更麻烦。
If you're looking for a third party solution, Stormpath looks pretty promising (just google it). 如果您正在寻找第三方解决方案,Stormpath看起来很有前途(只需在Google上搜索)。
Anyhow, hope that helps! 无论如何,希望能有所帮助! Good luck. 祝好运。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.