简体繁体 English

如何在产品环境中保护我的GO REST服务？

[英]How can I protect my GO REST services in product environment?

原文 2015-09-06 06:28:25 5 3 node.js/ web-services/ rest/ go/ oauth-2.0

I'm recently dealing with Go REST services, but I don't know if there any production-ready OAUTH2 server available? 我最近正在处理Go REST服务，但是我不知道是否有任何可用于生产的OAUTH2服务器？

As my services will be consumed by a single-paged web app as well as mobile clients, and users should be able to register their accounts, so I'm thinking about an OAUTH2 server. 因为我的服务将由单页Web应用程序和移动客户端使用，并且用户应该能够注册其帐户，所以我正在考虑使用OAUTH2服务器。

I've been searching around and found that the standard package contains only the client side code https://github.com/golang/oauth2/blob/master/oauth2.go . 我一直在搜索，发现标准软件包仅包含客户端代码https://github.com/golang/oauth2/blob/master/oauth2.go 。

There is an OAUTH2 server built in Go ( https://github.com/RangelReale/osin ), but I don't have much expertise to review it. Go内置了一个OAUTH2服务器（ https://github.com/RangelReale/osin ），但是我没有很多专业知识可以对其进行审查。

Therefore, what are the options available for production applications? 因此，生产应用程序有哪些可用选项？ Should I use an OAUTH server implemented in another technology like nodejs because of their maturity? 由于其成熟度，我是否应该使用以其他技术（如nodejs）实现的OAUTH服务器？

EDIT: In .Net space there is a server implementation at https://github.com/identityserver/IdentityServer3 编辑：在.Net空间中，在https://github.com/identityserver/IdentityServer3有一个服务器实现

However, I would prefer something in GO. 但是，我更喜欢GO中的某些功能。

3 个解决方案

Though Oauth2 is very secure and a great implementation. 虽然Oauth2是非常安全的并且是一个很好的实现。

A common procedure used to secure web applications is as follows. 用于保护Web应用程序安全的常见过程如下。

User registers to application and sends registration data to backend. 用户注册到应用程序并将注册数据发送到后端。 Server handles registration information. 服务器处理注册信息。 Store hashed user password for future token requests and other such requests Create access token to be passed back to user(usually 32-64 bit) hash access token and store it in database for authentication of restful requests Send user back any data required as well as access token. 存储哈希的用户密码以用于将来的令牌请求和其他此类请求创建访问令牌以传递回用户（通常为32-64位）哈希访问令牌，并将其存储在数据库中以对静态请求进行身份验证将用户返回的所有所需数据以及访问令牌。 Store access token on client machine(Possibly using localstorage.set() ) Future requests will have the access token attached to them for authentication. 将访问令牌存储在客户端计算机上（可能使用localstorage.set（）），将来的请求将附加访问令牌以进行身份验证。

Always check that the access token is still access and that it's hash matches the hashed value in the database. 始终检查访问令牌是否仍在访问，并且其哈希与数据库中的哈希值匹配。

Other implementations involve JWT's and so on. 其他实现涉及JWT等。

If you do not have enough expertise in reviewing OAuth 2.0 library, then I would recommend to use reliable third party Oauth-as-a-service provider. 如果您在审查OAuth 2.0库方面没有足够的专业知识，那么我建议您使用可靠的第三方Oauth即服务提供商。

One example I know is Microsoft Azure ACS, which you can integrate with your golang application, and they will handle OAuth process as well as authentication and authorisation for you. 我知道的一个示例是Microsoft Azure ACS，您可以将其与golang应用程序集成，它们将为您处理OAuth流程以及身份验证和授权。

You can read about how it works here . 您可以在此处了解其工作原理。

在我问了这个问题之后，CoreOS在https://github.com/coreos/dex上发布了“ dex”作为开源OpenID提供程序。