简体繁体 English

REST api项目的用户身份验证方法

[英]User authentication methods for REST api project

原文 2015-10-11 20:43:24 3 3 android/ api/ rest/ oauth/ oauth-2.0

My web server has a REST API. 我的Web服务器具有REST API。 I need to add user authentication to my app, and my thought process behind it is this: 我需要向应用程序添加用户身份验证，其背后的思考过程是这样的：

Get the user's username and password from the app form 从应用程序表单获取用户的用户名和密码
Encrypt the password and Base64 encode both the username and password 加密密码，Base64编码用户名和密码
Send the data to the REST API over HTTPS 通过HTTPS将数据发送到REST API
Web server verifies credentials, returns errors or success Web服务器验证凭据，返回错误或成功

Is this secure? 这样安全吗？ I see a lot of mentions of OAuth2. 我看到了很多有关OAuth2的提及。 What is it? 它是什么？ What does it do better than my process? 有什么比我的过程更好的呢？

3 个解决方案

The fact that you used the word "encrypt" for the users password instead of "hash" demonstrates you have fairly limited knowledge about this. 您使用单词“ encrypt”代替用户密码“ hash”的事实表明您对此知识的了解非常有限。 This will almost certainly result in you messing up your authentication procedures somewhere along the line and put your users private information at risk. 这几乎肯定会导致您弄乱身份验证过程，并给用户的私人信息带来风险。

A really important point about OAuth2 is that it can be used with many existing third party providers (Google, Facebook, Twitter, etc) with minimal effort from you. 关于OAuth2真正重要的一点是，它可以与许多现有的第三方提供商（Google，Facebook，Twitter等）一起使用，而您的工作量却很小。

You don't need to do anything to store credentials or even authenticate users. 您无需执行任何操作即可存储凭据甚至对用户进行身份验证。 The third party takes cares of all of this and simply provides the client with a token (long random string) which is then passed to your server. 第三方负责所有这些工作，并简单地向客户端提供令牌（长随机字符串），然后将令牌传递到您的服务器。 Your server then talks to the third-party server to make sure the token is valid (and gain any info you need, like the users' name, email address or other information). 然后，您的服务器与第三方服务器进行对话，以确保令牌有效（并获得所需的任何信息，例如用户名，电子邮件地址或其他信息）。

You really should consider using it if you can. 如果可以的话，您真的应该考虑使用它。 The big companies put a lot of effort into securing their authentication methods and you gain all of that by making use of it. 大型公司在确保其身份验证方法上付出了很多努力，您可以通过使用它们来获得所有这些。

A final nice point is that users don't need to create and remember credentials for (yet) another account. 最后一个好处是，用户不需要为另一个帐户创建和记住凭证。

Google has some docs to get you started and includes an OAuth playground to test how it works in practise. Google提供了一些文档，可以帮助您入门，还包括一个OAuth游乐场来测试它的实际工作方式。

A very basic explanation of OAuth2 is that the user will log into your system, with it encrypting both username and password before sending it, then if it gets authenticated, it will send back a token to the user. OAuth2的一个非常基本的解释是，用户将登录到您的系统，并在发送前先对用户名和密码进行加密，然后通过身份验证将令牌发送回用户。

Thereafter, whenever the user tries to contact the web server, it will send this token along with each API call. 此后，每当用户尝试与Web服务器联系时，它将与每个API调用一起发送此令牌。 This is how it makes sure that non-authenticated people can't access your web server. 这样可以确保未经身份验证的人员无法访问您的Web服务器。

So basically your current method includes parts of the OAuth2 standard, but not the most important part (The token). 因此，基本上，您当前的方法包括OAuth2标准的一部分，但不是最重要的部分（令牌）。

In your situation, how would you stop non-authenticated people from accessing your web server? 在您的情况下，您将如何阻止未经身份验证的人员访问您的Web服务器？ If the project is small, then the risk of this is not that large.. But for larger companies, this is a real threat that needs to be dealt with. 如果项目很小，那么这样做的风险就不会那么大。但是对于大公司来说，这是一个真正的威胁，需要加以解决。

You should really try to understand the difference between encryption and hashing before providing an authentication portal for your users. 在为用户提供身份验证门户之前，您应该真正尝试了解加密和哈希之间的区别。 There are many different hashing algorithms you can use. 您可以使用许多不同的哈希算法。 I've personally used BCrypt in the past and I have a related SO Question about it as well. 我过去曾亲自使用过BCrypt，对此我也有一个相关的SO问题。 You can find implementations of pretty much all the popular algorithms in pretty much all the major high level languages these days. 如今，您可以在几乎所有主要的高级语言中找到几乎所有流行算法的实现。

Obviously if you don't want to do all that you can use an OAuth provider, who will take care of all the hard bits like storing the passwords securely, protecting the database and all the other security aspects for you. 显然，如果您不想做所有事情，则可以使用OAuth提供程序，该提供程序将处理所有困难的工作，例如安全地存储密码，为您保护数据库和所有其他安全方面。 There are many reliable OAuth providers, Google, Facebook, Yahoo, etc. etc. 有许多可靠的OAuth提供商，例如Google，Facebook，Yahoo等。

One thing to bear in mind would be the environment in which your app is hosted. 要牢记的一件事是托管应用程序的环境。 OAuth does depend on having a connection available to the OAuth provider's servers every time a user wants to access your app. OAuth确实依赖于用户每次要访问您的应用时都可连接到OAuth提供程序的服务器。 So, if you are behind a corporate firewall or similar which may block access to websites like Facebook, this might be a big problem. 因此，如果您位于公司防火墙或类似防火墙的后面，可能会阻止对Facebook等网站的访问，那么这可能是个大问题。

I personally prefer token based authentication for my API projects. 我个人更喜欢对API项目进行基于令牌的身份验证。 If you're not familiar with token based authentication you can read this SO Question and this link. 如果您不熟悉基于令牌的身份验证，则可以阅读此SO问题和此链接。

The general concept behind a token-based authentication system is simple. 基于令牌的身份验证系统背后的一般概念很简单。 Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource - without using their username and password. 允许用户输入他们的用户名和密码，以获得一个令牌，该令牌允许他们获取特定资源-无需使用用户名和密码。 Once their token has been obtained, the user can offer the token - which offers access to a specific resource for a time period - to the remote site. 一旦获得了他们的令牌，用户就可以向远程站点提供令牌（在一段时间内可以访问特定资源）。