express-gateway API 密钥管理
[英]express-gateway API key management
问题描述
I have API backend and it will be consumed by different consumers like our own company website and even other website can use our API with certain quota/limitation and for this scope management we will be using express-gateway( eg ), however this is not the only reason I am using express-gateway( eg ).
我有 API 后端,它将被不同的消费者使用,比如我们自己的公司网站,甚至其他网站可以使用我们的 API 并具有一定的配额/限制,对于这个scope管理方式,我们将使用非快速网关)我使用快速网关的唯一原因(例如)。 Now coming to my problem/miss-understanding, for our own website we can create api-key and user credentials using eg command.现在来到我的问题/错过理解,对于我们自己的网站,我们可以使用例如命令创建 api-key 和用户凭据。 But for the other user who wishes to use our api, I don't want them to contact me for this integration, rather they should be able to create a user credentials and API key themselves using some facility (let us call it key management) provided by us.但是对于希望使用我们的 api 的其他用户,我不希望他们联系我进行此集成,而是他们应该能够使用某些工具自己创建用户凭据和 API 密钥(让我们称之为密钥管理)由我们提供。 Here I am stuck how to give a web platform or any other mechanism where a user can create account and then create api-key for their own website.在这里,我被困在如何提供 web 平台或用户可以创建帐户然后为自己的网站创建 api-key 的任何其他机制。 I was thinking to extend the express-gateway app itself and create page where a website owner can fill the form with various input field that will serve as parameter for eg command and I can trigger eg command in node console and create credentials and save it in redis database and then fetch those information to show it to user as their use rid and api-key.我正在考虑扩展 express-gateway 应用程序本身并创建页面,网站所有者可以在其中使用各种输入字段填写表单,这些输入字段将用作例如命令的参数,我可以在节点控制台中触发例如命令并创建凭据并将其保存在redis 数据库,然后获取这些信息以将其显示给用户作为他们的 use rid 和 api-key。 But I want to know the best way how others are doing, like how google, twitter and many more are allowing to create api-key, delete key and regenerate the api-key on compromise.但我想知道其他人的最佳方式,例如谷歌、twitter 等如何允许创建 api-key、删除密钥并在妥协时重新生成 api-key。 Some suggestion would be to use third party tool to manage user-credentials, I will have little inertia to accept that, even if I do so how will I hook those third-party solution to my express-gateway.一些建议是使用第三方工具来管理用户凭证,我几乎没有惯性接受这一点,即使我这样做了,我将如何将这些第三方解决方案连接到我的 express-gateway。
1 个解决方案
解决方案1
0 2022-01-03 14:52:12
In general, API gateways and authentication servers are independent, or at least loosely-coupled.一般来说,API 网关和认证服务器是独立的,或者至少是松耦合的。 The typical workflow is:典型的工作流程是:
- A user browses to the Create Account page for a service.用户浏览到服务的创建帐户页面。
- The user creates an account with the authentication server用户使用身份验证服务器创建帐户
- The user makes a request through the API gateway用户通过API网关发出请求
- The API gateway checks with the authentication server whether the operation is allowed, discarding it if the user is not authorized to perform the requested action API 网关与认证服务器检查是否允许操作,如果用户无权执行请求的操作,则丢弃它
- The API gateway dispatches the request to the appropriate server API 网关将请求分派到相应的服务器
- The receiving server checks whether the user is permitted to perform the action (in case the API gateway has been compromised)接收服务器检查是否允许用户执行该操作(以防 API 网关已被入侵)
Express Gateway includes its own authentication server for convenience, but the steps are basically the same.为了方便,Express Gateway 包含自己的身份验证服务器,但步骤基本相同。 The difference is that one uses the Express Gateway Admin API to create the user and credentials rather than going to a different server.不同之处在于,使用Express Gateway Admin API创建用户和凭据,而不是转到不同的服务器。
Note that Express Gateway and its default account database (reddis) are not persistent out of the box.请注意,Express Gateway 及其默认帐户数据库 (reddis) 不是开箱即用的持久性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.