如何将对REST API的访问限制为仅授权的客户端?
[英]How do I restrict access to my REST API to only authorized clients?
问题描述
Question 
题
I'm designed REST API that is going to be used for iOS and Android apps, and possibly web and other mobile clients in the future. 我设计了REST API,将来将用于iOS和Android应用,以及可能的网络和其他移动客户端。
How do I restrict my entire API to only the clients (apps) that I want to have access? 如何将我的整个API限制为仅希望访问的客户端(应用程序)? I want to prevent 3rd parties from accessing my API to register users or even login without going through an authorized application (mobile or web client). 我想阻止第三方访问我的API来注册用户甚至登录,而无需通过授权的应用程序(移动或Web客户端)。
Current Ideas 目前的想法
I could give each client that I want to have authorization a secret key, but how do I prevent this key from being extracted from my application's source code (especially easy if my app was a web app)? 我可以为每个要获得授权的客户端提供一个秘密密钥,但是如何防止从应用程序的源代码中提取此密钥(如果我的应用程序是Web应用程序,则特别容易)? Also, if the key needs to be changed in the future (due to a compromise) this would be difficult as all my clients would need to be updated, and old clients would fail to function. 另外,如果将来需要更改密钥(由于折衷),这将很困难,因为我的所有客户都需要更新,而旧客户也将无法运行。 There has to be a better solution. 必须有一个更好的解决方案。
I'm using JWT for user authentication, but I fail to see how I can apply this to my problem. 我正在使用JWT进行用户身份验证,但是我看不到如何将其应用于我的问题。 I really like how JWT are easily implemented, so it would be great if I could apply a JWT implementation to solve this problem. 我真的很喜欢如何轻松实现JWT,因此如果我可以应用JWT实现来解决此问题,那将是很好的。
1 个解决方案
解决方案1
1 2015-05-08 02:37:47
When you embed an access key in the client you basically accept that it is exposed. 当您在客户端中嵌入访问密钥时,您基本上会接受它是公开的。 Current technology like proguard and ssl may secure it, but it doesn't prevent bad people from abusing it in legitimate way (ie through the app). 当前的技术(例如proguard和ssl)可能会保护它,但是它并不能阻止坏人以合法方式(即通过应用程序)滥用它。 As a matter of fact this still holds true in the case of user validation being required. 事实上,这在需要用户验证的情况下仍然适用。 So preventing abuse is just a half of security paradigm. 因此,防止滥用只是安全范例的一半。 The other half is identifying abuser. 另一半是识别滥用者。
That said you cannot hope to do more in preventing that access key being hacked. 也就是说,您不能希望在防止该访问密钥被黑客入侵方面做更多的事情。 What you can do however is layer it again under an authority you control from your server. 但是,您可以做的是再次在您从服务器控制的权限下对其进行分层。 One way I am aware of is token mechanism. 我知道的一种方式是令牌机制。 A user sends a request with access key and his device parameters. 用户发送带有访问密钥及其设备参数的请求。 Once it is validated you return him a token with expiration time. 验证通过后,您将带到期时间的令牌退还给他。 With this token he can then access your resources. 然后,使用此令牌,他可以访问您的资源。 This method gives two benefits: 此方法有两个好处:
User is still identified by his device parameters.
用户仍然可以通过其设备参数来识别。 Depending on this information and frequency of his access, you can decide that he is an abuser or not. 根据此信息和他的访问频率,您可以确定他是否是滥用者。 Token itself expires after a certain duration, so if he is then you can just refuse him the next token. 令牌本身会在一定时间后到期,因此如果他是令牌令牌,则可以拒绝他的下一个令牌。 You won't need to update your access key.
您无需更新访问密钥。
Actually this mechanism would be similar to Amazon Token Vending Machine which was replaced by the service Amazon Cognito . 实际上,此机制类似于被服务Amazon Cognito取代的Amazon Token自动贩卖机 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.