堆栈内存溢出
  简体   繁体   English

我是否需要Oauth2用于我的Web Apps API

[英]Do I need Oauth2 For my Web Apps API

 原文  2014-09-01 18:20:16       node.js/ rest/ express/ oauth-2.0/ json-api

问题描述

I am trying to wrap my brain around building an express.js / node.js based REST API. 我试图围绕构建一个基于express.js / node.js的REST API包围我的大脑。 I have a couple of questions... 我有一些问题...

  1. Do I NEED token based / oauth 1 or 2 security for my api if I'm only concerned about a web application right now (not necessarily phone apps) 如果我现在只关心一个Web应用程序(不一定是手机应用程序),我是否需要基于令牌的/ oauth 1或2安全性来支持我的api

  2. Are there any resources to learn how to build this from scratch? 有没有资源可以学习如何从头开始构建这个? I've read literally the first 3 pages of googling "rest api with oauth2 authentication express.js" and i'm still not grasping it. 我从字面上读了谷歌搜索“使用oauth2认证express.js的休息api”的前3页,我仍然没有抓住它。

2 个解决方案

解决方案1
 3 已采纳  2014-09-01 18:49:14

Its good that you want to do a REST API in node. 您希望在节点中执行REST API。 Its really good in building API based request. 它非常适合构建基于API的请求。

For your question: 对于你的问题:

1) If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". 1)如果您只使用简单的GET和POST请求构建基本API,那么您可能想问自己,您正在显示或操作的数据是否需要“安全性”。 If not then most likely, you don't need to implement OAuth. 如果不是那么很可能,您不需要实施OAuth。

But if your data is sensitive, such as private user data, then you need to put some sort of security layer on your API. 但是,如果您的数据是敏感的,例如私人用户数据,那么您需要在API上放置某种安全层。 Also, using OAuth or other token based security can help you build a better permission checking across your user base. 此外,使用OAuth或其他基于令牌的安全性可以帮助您在整个用户群中构建更好的权限检查。

2) You first need to grasp the concept of OAuth. 2)您首先需要掌握OAuth的概念。 Once you have the idea of how OAuth works, then its really easy to implement in your chosen language. 一旦您了解了OAuth的工作原理,那么它就很容易以您选择的语言实现。 Here are some good reads on how you can understand OAuth better 以下是关于如何更好地理解OAuth的一些好的读物

http://www.slideshare.net/MindfireSolutions/oauth-and-rest?qid=09a7d224-78bb-4b47-8957-3f0a0ce809a4&v=qf1&b=&from_search=3 http://www.slideshare.net/MindfireSolutions/oauth-and-rest?qid=09a7d224-78bb-4b47-8957-3f0a0ce809a4&v=qf1&b=&from_search=3

For more detailed info about OAuth: http://tools.ietf.org/html/rfc6749 有关OAuth的更多详细信息,请访问: http//tools.ietf.org/html/rfc6749

Again, once you understand the workflow of OAuth, you can implement it easily. 同样,一旦您了解了OAuth的工作流程,您就可以轻松实现它。 :P :P

解决方案2
 0  2014-09-03 04:57:01

  1. It does not depend if you use your REST server for web applications or for any other clients. 如果您将REST服务器用于Web应用程序或任何其他客户端,则不依赖于此。 If the service available in internet you should consider any client application as an "enemy". 如果互联网上提供的服务,您应该将任何客户端应用程序视为“敌人”。 I mean you should not rely on any "trusted" client app, you should always perform authentication, if the client gets secured resource. 我的意思是你不应该依赖任何“可信”的客户端应用程序,如果客户端获得安全资源,你应该总是执行身份验证。 Is the resource secured, it depend on your app. 资源是否安全,取决于您的应用。 I prefer to use oauth2 in both cases. 在这两种情况下,我更喜欢使用oauth2。 If resource is not secured, I use Client Credentials ( http://tools.ietf.org/html/rfc6749#section-1.3.4 ), if it's secured I use Access Token ( http://tools.ietf.org/html/rfc6749#section-1.4 ). 如果资源不安全,我使用Client Credentials( http://tools.ietf.org/html/rfc6749#section-1.3.4 ),如果它是安全的,我使用Access Token( http://tools.ietf.org/ html / rfc6749#section-1.4 )。 It allows you to keep in the same tech, and easily change the things in the future, if it's needed. 它允许您保持相同的技术,如果需要,可以在将来轻松更改。 Based on my personal experience, I created module oauthifizer ( https://github.com/vedi/oauthifizer ). 根据我的个人经验,我创建了模块oauthifizer( https://github.com/vedi/oauthifizer )。 It's actually a wrapper around passport.js, which makes it more friendly in those particular cases. 它实际上是passport.js的一个包装器,这使得它在这些特殊情况下更加友好。

  2. You can have a look at this article: http://aleksandrov.ws/2013/09/12/restful-api-with-nodejs-plus-mongodb/ . 您可以查看这篇文章: http//aleksandrov.ws/2013/09/12/restful-api-with-nodejs-plus-mongodb/ Again, you can consider to try restifizer ( https://github.com/vedi/restifizer ) - another module, which allows you to create RESTful services significant faster. 同样,您可以考虑尝试restifizer( https://github.com/vedi/restifizer ) - 另一个模块,它允许您更快地创建RESTful服务。 And there is short example for it: https://github.com/vedi/restifizer-example 还有一个简短的例子: https//github.com/vedi/restifizer-example

Hope it will help. 希望它会有所帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 适用于我的Node.js应用程序的OAuth2和Microsoft Graph API? - OAuth2 and Microsoft Graph API for my Node.js app? 我可以在 Node JS 中使用 oauth2 构建我的项目吗 - Can I build my project with oauth2 in Node JS 如果我使用HTTPS,是否需要OAuth? - Do I need OAuth if I use HTTPS? 需要 Azure 功能 oauth2 身份验证的建议 - Need advice for Azure functions oauth2 authentication 为什么在流 API 的 .write() 方法中需要回调? - Why do I need a callback in my .write() method for the stream API? REST API,OAuth2和身份验证错误 - REST API, OAuth2 and authentification errors 在NodeJS中使用Mailchimp API执行OAuth2 - Execute OAuth2 with the Mailchimp API in NodeJS 如何以编程方式登录Facebook oauth2 api - How to programmatically login to Facebook oauth2 api 带有Node.js API和标准JavaScript应用的OAuth2 - OAuth2 with nodejs api and standard javascript app 实现自己的oauth2服务器和api服务器 - implementing own oauth2 server and api server
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM