如何实现无状态REST API
[英]How to implement a stateless REST API
问题描述
I am working on a REST API that will be used by developers writing mobile apps. 
我正在开发一个REST API,供开发人员编写移动应用程序使用。 Users will be able to use 3rd party services (Google, Twitter etc) to authenticate themselves, this is mainly handled by OAuth (depending on the service in question). 用户将能够使用第三方服务(Google,Twitter等)进行身份验证,这主要由OAuth处理(取决于相关服务)。 We use 2-legged OAuth between the client application and the API Server (where the consumer key/secret is app specific, the developer gets it from our site when the app is registered there). 我们在客户端应用程序和API服务器之间使用2脚OAuth(消费者密钥/密钥是特定于应用程序的,开发人员在应用程序注册时从我们的站点获取它)。
My problem is how to handle to keep track of the user authentication in a stateless manner. 我的问题是如何处理以无状态方式跟踪用户身份验证。 I do not have the users credentials to send in each request. 我没有用户凭据来发送每个请求。 I could create a unique session_id when a user logs in and then require that in each request to the REST API. 我可以在用户登录时创建一个唯一的session_id,然后在每个REST API请求中都要求它。 Are there any other solutions to my problem? 我的问题还有其他解决方案吗? Does using a unique session_id to identify the user cause any problems from a stateless REST API perspective? 使用唯一的session_id来识别用户是否会导致无状态REST API透视图出现任何问题?
1 个解决方案
解决方案1
10 已采纳 2010-10-05 16:32:10
Disclaimer: I am not in anyway a security expert. 免责声明:我不是一个安全专家。
Don't call it a session_Id. 不要将其称为session_Id。 Call it an authentication token and pass it the Authorization HTTP header using your own authentication scheme. 将其称为身份验证令牌,并使用您自己的身份验证方案将其传递给Authorization HTTP标头。 See the Google AuthSub for an example. 有关示例,请参阅Google AuthSub 。
Do not use this authentication token for anything other than identifying the user and determining if they are authorized to perform the request. 请勿将此身份验证令牌用于识别用户以及确定他们是否有权执行请求之外的任何其他内容。 Do not associate any state to the token and do not retrieve user preferences based on it. 不要将任何状态与令牌关联,也不要根据它来检索用户首选项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.