API身份验证设计

huangapple go评论85阅读模式
英文:

API authentication design

问题

我计划构建一个由两个服务器组成的网络服务——一个API后端(RESTful和无状态)和一个Web服务器前端。后端将使用Go构建,而Web服务器将使用PHP或Java。

基本上,我希望多个用户可以通过其Web浏览器登录,使用他们的Facebook或Google凭据进行身份验证,我了解到我必须使用OAuth来实现这一点。

然而,我对如何设计身份验证深感困惑。
我能否仅在Web服务器上实现OAuth,然后使用API密钥/密钥来验证Web服务器与我的API之间的加密连接进行通信。这样安全且正常工作吗,还是我应该以其他方式实现身份验证?

我制作了一个简单的图表,展示了我对如何完成这个过程的想法。

API身份验证设计

我真的希望你们能指点我正确的方向。

英文:

I'm planning on building a web service consisting of two servers - an API backend (RESTful & stateless) and a web server frontend. The backend will be build with Go and the web server with PHP or Java.

Basically I'd like multiple users to log in with their web browsers through the use of their facebook or google credentials which I understand I must use OAuth for.

I'm however deeply confused about how I should design the authentication.
Can I simply implement OAuth on the webserver alone and then use an API-key/secret to validate the webserver with my API and communicate over an encrypted connection between the two of them. Would that be secure and work just fine or should I implement authentication in some other way?

I've made a simple diregram showing my idea of how this could be done.

API身份验证设计

I really hope that you guys can point me in the right direction.

答案1

得分: 2

解决该问题的两种常见方法:

受信任的子系统模型 vs 委派模型

受信任的子系统

使用受信任的子系统模型,为前端的每个用户维护一个单独的密钥和秘密可能是不切实际的。受信任的子系统模型基本上是指一个具有对 API 授权的系统(Web 服务器)负责或被信任来对用户访问该 API 进行身份验证/授权,并被授予执行此操作的权限。

你需要为 Web 服务器提供一个帐户,并允许 Web 服务器授权访问该 API。

委派模型

如果你可以控制 API 的身份验证方式,你可以使用与前端相同的方法,并重用最终用户的安全主体来对后端 API 进行身份验证。

英文:

Two common approached to tacking the problem:

Trusted subsystem model vs Delegation model

Trusted subsystem

Use a trusted subsystem model, it maybe impractical to maintain a separate key and secret for every user of the front end, the trusted subsystem model basically states that a system (web server) with authority to an api is responsible or trusted to authenticate/authorise users access to that api, and is given authority to do so.

What you do is provision a account for the web server, and allow the web server to authorize access to the api.

Delegation model

If you have control over how the api authenticates you can use the same method as the frontend and reuse the end users security principal to authenticate to the back end api.

huangapple
  • 本文由 发表于 2015年7月20日 22:00:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/31518501.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定