实施OAuth到REST API
[英]Implementing OAuth to REST API
问题描述
I'm currently developing a RESTful API in PHP an I'd like to implement some user authentication to it. 
我目前正在用PHP开发RESTful API,我想对其进行一些用户身份验证。 I have read through some literatures and the most efficient/secure way to allow authentication through rest api seems to be the use of the access tokens via the oauth protocol. 我已经阅读了一些文献,并且允许通过rest api进行身份验证的最有效/安全的方法似乎是通过oauth协议使用访问令牌。
I have understood the way the protocol works but I don't understand how to implement it to our api & database when the user has got his access token. 我已经了解了协议的工作方式,但是当用户获得访问令牌时,我不了解如何将其实现到我们的api和数据库。 The documentation about it is very unclear/nearly non-existent... 关于它的文档非常不清楚/几乎不存在...
My idea was basically to save this access_token in my "users" MySQL table. 我的想法基本上是将此access_token保存在“用户” MySQL表中。 That way we could verify if the user exists and has the appropriate permissions during each requests on the API. 这样,我们可以在API的每次请求期间验证用户是否存在并具有适当的权限。
However I'm not sure it is the most proper way to do that. 但是我不确定这是最合适的方法。 Is it safe enough? 它足够安全吗? How would you personally proceed to deal with that? 您个人将如何处理?
1 个解决方案
解决方案1
1 2013-12-06 15:56:08
As this access token is like a temporary password, you can indeed store it in your table. 由于此访问令牌就像一个临时密码,因此您确实可以将其存储在表中。
But as with storing passwords, you might want to hash and salt the token (depending on how relatively easy your tokens can be guessed). 但是,与存储密码一样,您可能希望对令牌进行哈希处理和加盐处理(取决于可以相对容易地猜测出令牌)。 See the why's and how's here: Secure hash and salt for PHP passwords 在这里查看原因和方式: PHP密码的安全哈希和盐
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.