[英]How to secure Web API for android/ios apps with basic authentication
I am trying to secure a Web API
which will be used by a mobile app running on Android
and iOS
. 我正在尝试保护一个Web API
,该Web API
将由在Android
和iOS
上运行的移动应用程序使用。 The way it works now is with Basic Authentication
with SSL
, it sends the username
and password
with each request to the Web API
. 它现在的工作方式是使用SSL
进行Basic Authentication
,它会将每个请求的username
和password
发送到Web API
。 I validate the credentials in the Web API
in a filter
before the action
is called. 在调用action
之前,我在filter
验证Web API
中的凭据。 This works great. 这非常有效。 The problem is, after users login I have to store the password on the device ( Android
/ iOS
) to save the session or they will have to login all the time. 问题是,在用户登录后,我必须将密码存储在设备( Android
/ iOS
)上以保存会话,否则他们将不得不一直登录。 This isn't secure because if the device is hacked the credentials can be accessed. 这不安全,因为如果设备被黑客入侵,则可以访问凭证。 I'm looking for a way to user basic authentication without storing passwords on the device. 我正在寻找一种方法来使用基本身份验证,而无需在设备上存储密码。
I think the solution in this article can work but I am unclear how to make it work. 我认为在解决这个文章可以工作,但我不清楚如何使它发挥作用。 In the accepted answer it says 在接受的答案中,它说
Generate a key for each of your apps and have them pass the key in each request as a token. 为每个应用生成一个密钥,让他们将每个请求中的密钥作为令牌传递。 Your server can then verify the key and authenticate the request. 然后,您的服务器可以验证密钥并验证请求。
Take a look at the Basic Authentication module from the ASP.NET site. 请查看ASP.NET站点中的“ 基本身份验证”模块。 The sample uses 'basic' as the authorization scheme but you can change it use 'token' instead. 该示例使用'basic'作为授权方案,但您可以使用'token'来改变它。
I am not clear exactly on the process here. 我不清楚这里的过程。 In this example there doesn't seem to be any username/password involved even during initial login. 在此示例中,即使在初始登录期间也似乎没有涉及任何用户名/密码。 How would the user obtain the key without logging in? 用户如何在不登录的情况下获取密钥? Then, what exactly is the "key" referred to in the quote. 然后,报价中提到的“关键”究竟是什么。 That could be anything such as a Guid
? 那可能是像Guid
这样的东西? I am also not understanding how this is anymore secure than storing a username and password on the device if is hacked. 我也不理解这比如果被黑客攻击在设备上存储用户名和密码更安全。 The hacker could use the "key" just as the username and password correct? 黑客可以使用“密钥”,就像用户名和密码一样正确吗?
that's basics of authentication, I'll explain the process in a simplfied way. 这是身份验证的基础知识,我将以简单的方式解释这个过程。 Hope you understand. 希望你能理解。
Do all of this using encryption. 使用加密完成所有这些操作。 Everything! 一切!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.