简体繁体 English

Openid和RestFul API

[英]Openid and RestFul API

原文 2017-05-03 19:06:32 2 2 rest/ api/ openid/ steam

My website have a Restful API, with authentication needed. 我的网站有一个Restful API，需要进行身份验证。 When a user log-in in website, it's performed a HTTP Basic authentication (username and password), and is returned a access token generated in API. 当用户登录网站时，它会执行HTTP基本身份验证（用户名和密码），并返回在API中生成的访问令牌。

But recently I have implemented steam login (Yeah, steam can act as an OpenID provider). 但最近我实施了蒸汽登录（是的，蒸汽可以充当OpenID提供商）。 Everything okay, but How can I auth the user on the API, if no password is sended. 一切都还可以，但如果没有密码发送，我如何在API上授权用户。

2 个解决方案

You don't need an username and / or password to authenticate an user that login into your site using an OpenId provider (Steam, in your case). 您不需要用户名和/或密码来验证使用OpenId提供商登录您网站的用户（在您的情况下为Steam）。 What you need is to trust in this OpenId Provider. 您需要的是信任这个OpenId Provider。

This is a very good definition about OpenId by John Christopher Jones in a blog post: 这是John Christopher Jones在博客文章中关于OpenId的非常好的定义：

OpenID is an authentication strategy where an unauthenticated user visits your site then authenticates themselves by logging in to Google, Twitter, Facebook, Steam, or some other OpenID provider . OpenID是一种身份验证策略，未经身份验证的用户访问您的网站，然后通过登录Google，Twitter，Facebook，Steam或其他一些OpenID提供商进行身份验证。 Your server (the OpenID Relying Party ) exchanges keys with the OpenID Provider (Google, et. al.) then sends the user over to the OpenID Provider to log in. 您的服务器（ OpenID依赖方 ）与OpenID 提供商 （Google等人）交换密钥，然后将用户发送到OpenID 提供商进行登录。

After the user logs in with the OpenID Provider , the user is sent back to you with some information identifying who they are , signed by the key you exchanged with the OpenID Provider . 用户使用OpenID提供程序登录后，将向 用户发送 一些信息，标识他们是谁 ，并通过您与OpenID提供商交换的密钥进行签名。 You can trust their identity at this point and start "logging them in" to your own system based on their identity . 此时您可以信任他们的 身份，并 根据他们的身份 开始“登录”到您自己的系统 。

The image bellow shows the OpenId Flow: 下面的图像显示了OpenId流程：

As you can see, after verify credentials, the OpenId Provider (Steam) will send back the user to your website, including credentials in the URL. 如您所见，在验证凭据之后，OpenId Provider（Steam）会将用户发回给您的网站，包括URL中的凭据。 With these credentials in hands what you need to do is: 有了这些凭证，您需要做的是：

Verify if a user associated with this credentials already exists in the database. 验证数据库中是否已存在与此凭据关联的用户。 If not, create it. 如果没有，请创建它。
Create a API token associated with this user. 创建与此用户关联的API令牌。
Send the API token for the user waiting on the browser (your client app that consumes your RESTful API). 为在浏览器上等待的用户（使用RESTful API的客户端应用程序）发送API令牌。

With this API token in hands your client application can add these token to every request to your RESTful API, as the same way that an authenticated user with username and password would do. 有了这个API令牌，您的客户端应用程序就可以将这些令牌添加到RESTful API的每个请求中，就像使用用户名和密码的经过身份验证的用户所做的那样。 Note that your token generation strategy can not be dependent of a username and password. 请注意，您的令牌生成策略不能取决于用户名和密码。

So basically you want to make sure that the user is authenticated. 所以基本上你想确保用户通过身份验证。 Here Steam provides your server with a key (OpenID server) and your server has provided a key to the OpenID server. Steam为您的服务器提供密钥（OpenID服务器），并且您的服务器已为OpenID服务器提供密钥。 This is very similar to tokens used for Anti-Forgery attacks. 这与用于防伪攻击的令牌非常相似。 Steam provides your server with the user's identification and your server notes down Steam server's location. Steam为您的服务器提供用户的标识，并且您的服务器记下Steam服务器的位置。 Then the user is allowed to view your server`s content. 然后，用户可以查看服务器的内容。 Steam surely uses an API so if credentials are cached in the browser well it won't ask for them in the future. Steam肯定会使用API，因此如果凭据很好地在浏览器中缓存，它将来也不会要求它们。