[英]Javascript Client Authentication (with SSL, without OAuth2)?
The scenario is: 场景是:
I have a web API, which is being accessed by two clients: 我有一个Web API,由两个客户端访问:
SSL is all set up on the server hosting the API, and it works fine. SSL都是在托管API的服务器上设置的,它运行正常。 There is no User Auth for the API because it's a sort of location-based searching app.
API没有User Auth,因为它是一种基于位置的搜索应用程序。
I want to ensure though that only the web app and the iPhone client are able to actually make requests to the API. 我想确保只有Web应用程序和iPhone客户端能够实际向API发出请求。 For the iPhone client it's easy - a shared secret between the server and the app will do, and it's encrypted with SSL so we're not worried about people spying on it.
对于iPhone客户端来说这很容易 - 服务器和应用程序之间的共享秘密就可以了,而且它是用SSL加密的,所以我们不担心有人监视它。
But for the web app the same solution won't work. 但对于Web应用程序,相同的解决方案将无法正常工作。 I can't just leave a string in the code, and even if it's encrypted in there that's all somebody would need.
我不能在代码中留下一个字符串,即使它在那里被加密,也是所有人都需要的。
Basically, I'm looking for a good solution to this problem. 基本上,我正在寻找这个问题的一个很好的解决方案。 I just want to make sure it's kept only to clients who are allowed to use it, but I'm not sure how I can without going and implementing OAuth which I think is probably overkill.
我只是想确保它只保留给被允许使用它的客户,但我不确定如何不去实施OAuth,我认为这可能是过度的。 Any ideas?
有任何想法吗?
Thanks! 谢谢! Dan
担
It can't be done. 它无法完成。 Even with oauth.
即使有oauth。 Even assuming that your iOS app is secure, is wrong: it can be decompiled.
即使假设您的iOS应用程序是安全的,也是错误的:它可以被反编译。 Any code that runs on the client, can be tampered with, and can't be trusted to be who he says he is.
在客户端上运行的任何代码都可能被篡改,并且无法被信任为他所说的人。
Only question is: is the API you provide valuable enough, and how much trouble would someone want to go through to hack it. 唯一的问题是:您提供的API是否足够有价值,以及有多少人会想要破解它。 And how hard do you want to make it for whomever wants to hack it.
你想要破解它的人有多难?
The iOS version is indeed way safer than the javascript version. iOS版本确实比javascript版本更安全。 In the webapp you can obfuscate your code to make it harder to hack.
在webapp中,您可以对代码进行模糊处理,使其更难以入侵。 You can (if you don't intend to use it on iOS) use java or flash to further hide your signing code (HMAC-sign your requests, don't just send a shared secret with them. You may think SSL is secure, but there is a moment before the url is encrypted....).
您可以(如果您不打算在iOS上使用它)使用java或flash进一步隐藏您的签名代码(HMAC签署您的请求,不要只是发送共享密码。您可能认为SSL是安全的,但是在网址加密之前有一段时间......)。
The way the "big guys" deal with this is: “大家伙”处理这个问题的方式是:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.