基于令牌的REST API身份验证
[英]Token-based REST API Authentication
问题描述
I have a mobile app backed up by a lightweight Node.js API. 
我有一个由轻量级Node.js API备份的移动应用程序。 I've recently started exploring integrating a third-party API service that uses token-based authentication. 我最近开始探索集成使用基于令牌的身份验证的第三方API服务。 This API is designed to be called exclusively from my server-side Node.js code since calling it directly from my mobile app would expose my sensitive username/password info. 此API旨在从我的服务器端Node.js代码专门调用,因为直接从我的移动应用程序调用它将暴露我的敏感用户名/密码信息。 Other similar APIs that can only be called server-side (Stripe, for instance) have required authentication with a secret key that is passed in with every request. 其他类似的API只能称为服务器端(例如Stripe),需要使用随每个请求传入的密钥进行身份验证。 This approach makes more sense to me since you don't really think of a server "logging in" to another API. 这种方法对我来说更有意义,因为您并不认为服务器“登录”到另一个API。
So, here are my questions about accessing a token-based API: 那么,以下是关于访问基于令牌的API的问题:
What is the best approach to making calls to this API?
调用此API的最佳方法是什么? The token has a lifetime of 1 hour. 令牌的生命周期为1小时。 Should I 1) persist the token in a database and, for each request, pull the token from the database, check that it is still valid then make the request to the third-party API? 我应该1)将令牌持久保存在数据库中,并且对于每个请求,从数据库中提取令牌,检查它是否仍然有效,然后向第三方API发出请求? Or, 2) request a new token every time I need to make a request to the API? 或者,2)每次我需要向API发出请求时请求新的令牌? What is the benefit of using token based authentication?
使用基于令牌的身份验证有什么好处? Since there isn't a concept of logging in and no state needs to be maintained between requests, wouldn't it be easier to use a simple secret key with basic auth? 由于没有登录的概念,请求之间不需要维护状态,使用基本身份验证的简单密钥会不会更容易?
2 个解决方案
解决方案1
2 已采纳 2016-12-09 17:56:18
I'm going to start with #2: 我将从#2开始:
What is the benefit of using token based authentication?
A basic auth username and password: 基本的auth用户名和密码:
- Is also a token. 也是一种象征。
- Does not actually 'log you in'. 实际上并没有“登录你”。 It's stateless in the same way, because the username and password get passed with every request. 它以同样的方式无状态,因为用户名和密码随每个请求传递。
So the difference between the token you're describing and a password really in this case is about the lifetime of the token. 因此,在这种情况下,您所描述的令牌与密码之间的差异实际上与令牌的生命周期有关。 It sounds like you probably actually have 2 tokens. 听起来你可能实际上有2个令牌。 One to do requests (access token) and another to request new access tokens if they expired (refresh token). 一个用于执行请求(访问令牌),另一个用于请求新访问令牌(如果它们已过期)(刷新令牌)。
Why do this? 为什么这样? One idea is that the refresh token is the most dangerous one, because if an access token leaks somehow, it will only be valid for a limited amount of time. 一个想法是刷新令牌是最危险的,因为如果访问令牌以某种方式泄漏,它只会在有限的时间内有效。 By separating these you're basically decreasing the number of potential attack vectors. 通过分离这些,你基本上减少了潜在攻击向量的数量。 In a world where everything is secure, this might make no real difference, but we don't live in this world. 在一切安全的世界里,这可能没有什么真正的区别,但我们不会生活在这个世界上。
Access tokens can leak into logs, or accidentally get exposed through other means. 访问令牌可能会泄漏到日志中,或意外通过其他方式暴露。 The chance of a refresh token to be exposed is just lower. 刷新令牌暴露的可能性更低。
Some API's also turn the access token in some signed json payload (jwt), so they don't need to check their data-stores for validity. 某些API还会在一些签名的json有效负载(jwt)中转换访问令牌,因此他们无需检查其数据存储的有效性。 These services might expire refresh tokens in case of security changes (new password, intrusion detection) but not expire the access token. 在安全性更改(新密码,入侵检测)但未使访问令牌过期的情况下,这些服务可能会使刷新令牌失效。
But yea it's a bit of a hairy subject. 但是,这是一个毛茸茸的主题。 There's no clear attack vector that gets prevented by creating two tokens, but it's defense in depth. 没有明确的攻击向量可以通过创建两个令牌来防止,但它的深度防御。
解决方案2
1 2016-12-09 18:11:41
Since question 2 is answered, i would start with question 1 由于回答了问题2,我将从问题1开始
For token based authentication, as you mentioned, for each and every request you can intercept the actual request and verify the token and if the token is valid you can allow the request to access your api. 对于基于令牌的身份验证,如您所述,对于每个请求,您可以拦截实际请求并验证令牌,如果令牌有效,您可以允许请求访问您的API。 Recently, there is a new standard called JWT Json web tokens. 最近,有一个名为JWT Json web令牌的新标准。 Here is the description about JWT 这是关于JWT的描述
JSON Web Tokens are an open, industry standard RFC 7519method for representing claims securely between two parties.
JWT.IO allows you to decode, verify and generate JWT. JWT.IO允许您解码,验证和生成JWT。
Using JWT, you can save a DB call on each request. 使用JWT,您可以在每个请求上保存数据库调用。 The client is expected to send this token on each request (usually in a http header). 期望客户端在每个请求上发送此令牌(通常在http头中)。 On the server, intercept the request take the token and verify the token against a private key and authenticate the user. 在服务器上,拦截请求获取令牌并根据私钥验证令牌并对用户进行身份验证。 The token can be generated based on "claims". 可以基于“声明”生成令牌。 A claim, for example, can be client ip address or user agent or anything that you think is sensible. 例如,声明可以是客户端IP地址或用户代理或您认为合理的任何内容。 I strongly suggest you to use the JWT standard for your token based authentication of the API 我强烈建议您使用JWT标准进行基于令牌的API身份验证
Now question 2 现在问题2
Yes Http is meant to be stateless protocol. 是的Http意味着无状态协议。 Especially when you use REST based APIs , they have to be stateless and session less. 特别是当您使用基于REST的API时,它们必须是无状态且无会话。 So a basic authentication would be enough. 所以基本的身份验证就足够了。 However, you may have to make a db call to verify the base64 encoded username and password sent by the client. 但是,您可能必须进行db调用以验证客户端发送的base64编码的用户名和密码。 The advantage of JWT token is you can avoid this additional DB call and is much secured than just basic auth JWT令牌的优点是您可以避免这种额外的数据库调用,并且比基本身份验证更安全
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.