堆栈内存溢出
  简体   繁体   English

在简单的PHP RESTful API服务上进行身份验证

[英]Authentication on a simple PHP RESTful API service

 原文  2016-01-12 16:21:07       php/ api/ authentication/ slim/ restful-authentication

问题描述

I have a developed a very simple PHP API based on the PHP Slim Framework. 我已经基于PHP Slim Framework开发了一个非常简单的PHP API。 It does nothing more then doing some SQL queries and returning an JSON object whenever I call it. 它仅执行一些SQL查询并在我每次调用它时返回一个JSON对象。 I am accessing this API on another website through CURL. 我正在通过CURL在另一个网站上访问此API。

My question is: Since the URL of the API is basically public now, what is the best way of securing it? 我的问题是:由于API的URL现在基本上是公开的,因此保护它的最佳方法是什么? My first thought was HTTP Basic Auth which would be easy and I could pass through the http headers. 我的第一个想法是HTTP Basic Auth,这很容易,而且我可以通过http标头。 However I think it's not really safe as long as there is no HTTPS connection (since the website would literally pass username+password over to the API in plain text). 但是,我认为只要没有HTTPS连接就不是很安全(因为该网站实际上会将用户名+密码以纯文本形式传递给API)。 Also I would have to store the credentials in PHP code on my website, which I think is not really optimal. 另外,我还必须将凭据以PHP代码存储在我的网站上,我认为这并不是最佳选择。

The next solution I've found is token based authentication, which would have the advantage of not having to authorize on each request but might be more tricky to implement. 我发现的下一个解决方案是基于令牌的身份验证,它具有不必对每个请求进行授权的优点,但实现起来可能比较棘手。 Also I have no experience with that yet whatsoever. 我也没有任何经验。

Also I read OAuth/OAuth2 is the way to go. 我也读过OAuth / OAuth2是要走的路。

The thing is: I am planning to use the same API on a mobile application soon. 问题是:我计划很快在移动应用程序上使用相同的API。

Any hints? 有什么提示吗? Thanks! 谢谢!

2 个解决方案

解决方案1
 0  2016-01-12 17:02:51

You could use WS-Security which, even though was designed for SOAP APIs, works quite well with REST APIs as well. 您可以使用WS-Security ,即使它是为SOAP API设计的,它也可以与REST API一起很好地工作。 It is basically a token-based authentication, with a temporary token and a nonce file on the server side. 它基本上是基于令牌的身份验证,在服务器端具有临时令牌和现时文件。

You have some libraries that implement this in PHP, if you're looking for examples, for instance a Symfony2 bundle . 如果要查找示例,则有一些用PHP实现此功能的库,例如Symfony2 bundle

WS-Security is the middle-ground between HTTP Basic Auth - which is insecure without HTTPS - and OAuth - which might be more complicated to implement. WS-Security是介于HTTP Basic Auth和OAuth之间的中间角色,HTTP Basic Auth在没有HTTPS的情况下是不安全的,而OAuth的实现可能更复杂。

解决方案2
 0  2017-04-12 18:04:20

您可以使用此slim-jwt ,它将为jwt提供完整的声明,您可以将其用作中间件

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP-带有身份验证的手机的RESTful API - PHP - RESTful API for mobiles with authentication 在 PHP 中存储用户密码以进行 RESTful API 身份验证 - Storing user password in PHP for RESTful API authentication 使用PHP进行简单的API用户身份验证 - Simple API User Authentication with PHP 每次调用时都会进行宁静的Web服务API用户身份验证 - Restful web service API user authentication on every single call RESTful API身份验证和安全性 - RESTful API Authentication & Security RESTful API身份验证设计 - RESTful API authentication design 构建一个简单的RESTful api - Building a simple RESTful api 使用php进行静态身份验证 - restful authentication using php PHP Curl测试Sabre RESTful API身份验证失败 - PHP Curl to test Sabre RESTful API Authentication Failing RESTful服务API - RESTful Service API
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM