英文:
API authentication confusion
问题
我的问题不是非常技术性的,更多是关于系统架构的问题。
我正在用Go语言设计一个API后端。我希望有几个客户端,比如一个Web服务器、手机等等。我想象中,所有这些客户端都应该有一个秘密的API密钥,以验证他们是否可以使用API。同时,Web前端将有很多具有不同限制的用户。我希望这些用户能够使用他们的Facebook或Google帐户登录。我理解这应该需要OAuth身份验证。我的问题是,我应该在哪里添加OAuth。只在前端,然后将用户保存在会话中,还是在前端和后端之间也要添加。我对如何设置这种通信和身份验证非常困惑。
我正在用PHP构建Web服务器,我希望Web前端非常轻量级,基本上只作为Go API的一个空壳/视图。我以前用纯PHP/MySQL构建过系统,但我想转向基于Go的API。
对于从Web服务器前端到API的URI,比如说显示个人资料页面,会是什么样子?我想象中应该是一个GET请求,类似于"http.//backend.com:3000/[api-key]/[api-secret][oauth-token?]/profile"。然后使用一些中间件来验证Web客户端,另外再使用一些中间件来验证用户。这样做是否是“正确”的方法?
我希望你们能指点我正确的方向。
提前感谢。
英文:
My question is not deeply technical but more of a system architectural one.
I'm designing an API backend in Go Lang. I'd like to have several clients, like a web server, cell phones etc.. I imagine that all these clients should have a secret API key so to validate that they can use the API. At the same time the web frontend is going to have a lot of users with different restrictions. I'd like for these users to be able to log in with their facebook or Google account. That should require OAuth authentication as I understand. My question is now where should I add the OAuth. Only in the frontend and then save the user in session or also between the frontend and the backend. I'm highly confused about how I should set up this communication and authentication.
I'm building the web server in PHP and I'd like the web frontend to be really light weight and more or less only function as en empty shell/view for the Go API. I've build systems in plain PHP/MySQL before but I'd like to make a shift to Go based APIs.
How would a URI look like to the API from the web server frontend for let's say a show profile page? I imagine something like a GET call to "http.//backend.com:3000/[api-key]/[api-secret][oauth-token?]/profile. Then some middleware to authenticate the web client and another piece of middleware to authenticate the user. Would that be "the right" approach?
I hope you guys can point me in the right direction.
Thanks in advance.
答案1
得分: 2
如果你查看Facebook或Google的开发者文档,你会发现一些关于如何与它们的OAuth登录系统集成的示例。
OAuth,至少最后一步,必须在后端完成,因为你必须假设前端是一个恶意用户攻击你的系统。
对于Go的OAuth,可以参考:https://github.com/golang/oauth2
你可能会有一个类似于http.HandlerFunc("/oauth/google", yourGoogleFunc)和http.HandlerFunc("/oauth/facebook", yourFBFunc)的东西,然后你在开发者账户中注册这些URL与这些公司进行关联。
在测试时,最简单的方法是使用localhost:8080(或其他端口)作为回调URL,这样它可以在任何机器上工作,只要你使用的是本地浏览器。
英文:
If you look at your facebook or google developer docs, you will find examples on how to integrate with their oauth login systems.
OAuth, or at least the last step of it, really must be done on the back end as you have to assume your front end is a bad guy hitting your system.
For go oauth, take a look at: https://github.com/golang/oauth2
You will likely have a http.HandlerFunc("/oauth/google",yourGoogleFunc)
and http.HandlerFunc("/oauth/facebook",yourFBFunc)
type thing, then you register that URL on your dev account with those companies.
while testing, it's easiest to use localhost:8080 (or whatever) as the callback url so it works on any machine as long as you are using a local browser.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论