内部Rest API中的oAuth用户身份验证
[英]oAuth user authentication in internal rest API
问题描述
I am building a REST API service that will not be public and only used by the client to access the resources on the server. 
我正在构建一个REST API服务,该服务将是不公开的,仅由客户端用来访问服务器上的资源。 There is no authorization of different consumers as the only consumer is the server. 没有不同使用者的授权,因为唯一的使用者就是服务器。
I understand that 3 legged oAuth is the standard used by public API's like facebooks and I think I'm correct in assuming I am after 2 legged authentication but I cannot find a useful website describing it. 我知道3腿式oAuth是诸如facebook之类的公共API所使用的标准,我认为我是经过2腿式身份验证之后是正确的,但是我找不到描述它的有用的网站。
I need to use oAuth to access resources and/or change them. 我需要使用oAuth来访问资源和/或更改它们。 Obviously this should be protected. 显然,这应该受到保护。 But I am unsure as to how about doing this within PHP. 但是我不确定如何在PHP中执行此操作。 So if a user requests something like https://example.com/me/follow/123 by a post request the user 123 would only be followed if the user is logged. 因此,如果用户通过发帖请求请求https://example.com/me/follow/123之类的内容 ,则只有在用户登录后才跟随用户123。
I would also like public resources to only be accessed by a recognized client only. 我还希望仅由公认的客户端访问公共资源。 So if you access https://example.com/user/123 a 401 is given but if you access https://example.com/user/123?client_id=890 a result is given. 因此,如果您访问https://example.com/user/123,则会显示401,但如果您访问https://example.com/user/123?client_id=890,则会显示结果。 This will not stop users who are not logged in getting public resources but will stop users who are not using a recognised client. 这不会阻止未登录的用户获取公共资源,但是会阻止未使用公认客户端的用户。 More than a anythinging this is a way for me to track what clients are using the API in the future. 不仅如此,这还是我跟踪未来客户端使用API的一种方式。
1) How do you go about logins and give the users a token that is sent with every API request? 1)如何进行登录并为用户提供随每个API请求一起发送的令牌?
2) How do I protect the API from being used by unrecognized clients? 2)如何保护API避免被无法识别的客户端使用?
I am sorry if any of my terminology or ideas are incorrect. 如果我的任何术语或想法不正确,我感到抱歉。 My understanding of REST and oAuth is still very much developing. 我对REST和oAuth的理解仍在不断发展。
2 个解决方案
解决方案1
1 2014-04-17 15:37:32
您必须使用grant types=client credentials在OAuth标准点4.4中进行检查http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.4
解决方案2
0 2014-04-17 17:12:51
I agree that cleint_credentials grand is the most secure and standard way of app level authentication -- your client sends a request for an access token to a specific resource and includes their client_id and client_secret in the Basic Auth header like this: 我同意cleint_credentials grand是应用程序级别身份验证的最安全和最标准的方式-您的客户端向特定资源发送访问令牌请求,并在Basic Auth标头中包括其client_id和client_secret,如下所示:
Authorization: Basic {base64 encode client_id:client_secret}
Then all subsequent requests use the access token as a Bearer token like this 然后,所有后续请求都将访问令牌用作此类的承载令牌
Authorization: Bearer {access_token}
However... if this is a purely internal API and you don't need super security, it is also acceptable to simply validate the client_id (or apikey) on every single call. 但是...如果这是一个纯粹的内部API,并且您不需要超级安全性,那么在每个调用中只需验证client_id(或apikey)也是可以接受的。 It means your API will need to look up (or cache) the validity of the apikey. 这意味着您的API将需要查找(或缓存)apikey的有效性。
I suggest you send the apikey as a header for security so it isn't exposed on the query params, but it is also acceptable to send the apikey as a queryparam like 我建议您将apikey作为报头发送,以确保安全性,这样它就不会在查询参数中公开,但是也可以将apikey作为queryparam发送,例如
/myresource?apikey={client_id}
Not recommended from a security standpoint, but accepted practice in the API world. 从安全角度考虑,不推荐使用此方法,但API界普遍接受这种做法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.