如何在产品环境中保护我的GO REST服务?

huangapple go评论96阅读模式
英文:

How can I protect my GO REST services in product environment?

问题

我最近在处理Go REST服务,但我不知道是否有可用的生产就绪的OAUTH2服务器?

由于我的服务将被单页Web应用程序和移动客户端使用,并且用户应该能够注册他们的账户,所以我在考虑一个OAUTH2服务器。

我已经搜索过了,发现标准包只包含客户端代码https://github.com/golang/oauth2/blob/master/oauth2.go。

有一个用Go构建的OAUTH2服务器(https://github.com/RangelReale/osin),但我没有太多的专业知识来审查它。

因此,对于生产应用程序,有哪些选项可用?我应该使用另一种技术(如nodejs)实现的OAUTH服务器,因为它们更成熟吗?

编辑:在.Net领域,有一个服务器实现在https://github.com/identityserver/IdentityServer3

然而,我更喜欢GO中的一些东西。

英文:

I'm recently dealing with Go REST services, but I don't know if there any production-ready OAUTH2 server available?

As my services will be consumed by a single-paged web app as well as mobile clients, and users should be able to register their accounts, so I'm thinking about an OAUTH2 server.

I've been searching around and found that the standard package contains only the client side code https://github.com/golang/oauth2/blob/master/oauth2.go.

There is an OAUTH2 server built in Go (https://github.com/RangelReale/osin), but I don't have much expertise to review it.

Therefore, what are the options available for production applications? Should I use an OAUTH server implemented in another technology like nodejs because of their maturity?

EDIT: In .Net space there is a server implementation at https://github.com/identityserver/IdentityServer3

However, I would prefer something in GO.

答案1

得分: 1

我刚问完问题后,CoreOS发布了一个名为"dex"的开源OpenID提供者,网址是https://github.com/coreos/dex。

英文:

Right after I asked the question, CoreOS released "dex" as an open source OpenID provider at https://github.com/coreos/dex

答案2

得分: 0

尽管Oauth2非常安全且实现得很好。

用于保护Web应用程序的常见流程如下:

用户注册应用程序并将注册数据发送到后端。
服务器处理注册信息。
为将来的令牌请求和其他请求存储散列用户密码。
创建访问令牌以返回给用户(通常为32-64位)。
散列访问令牌并将其存储在数据库中,以用于验证RESTful请求。
将所需的任何数据以及访问令牌发送回用户。
在客户端机器上存储访问令牌(可能使用localstorage.set())。
将来的请求将附带访问令牌以进行身份验证。

始终检查访问令牌是否仍然有效,并且其散列值与数据库中的散列值匹配。

其他实现涉及JWT等。

英文:

Though Oauth2 is very secure and a great implementation.

A common procedure used to secure web applications is as follows.

User registers to application and sends registration data to backend.
Server handles registration information.
Store hashed user password for future token requests and other such requests
Create access token to be passed back to user(usually 32-64 bit)
hash access token and store it in database for authentication of restful requests
Send user back any data required as well as access token.
Store access token on client machine(Possibly using localstorage.set() )
Future requests will have the access token attached to them for authentication.

Always check that the access token is still access and that it's hash matches the hashed value in the database.

Other implementations involve JWT's and so on.

答案3

得分: 0

如果你对审查OAuth 2.0库没有足够的专业知识,我建议你使用可靠的第三方OAuth作为服务提供商。

我知道一个例子是Microsoft Azure ACS,你可以将其与你的golang应用程序集成,他们将为你处理OAuth过程以及身份验证和授权。

你可以在这里阅读它的工作原理here

英文:

If you do not have enough expertise in reviewing OAuth 2.0 library, then I would recommend to use reliable third party Oauth-as-a-service provider.

One example I know is Microsoft Azure ACS, which you can integrate with your golang application, and they will handle OAuth process as well as authentication and authorisation for you.

You can read about how it works here.

1: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx "Oauth flow"

huangapple
  • 本文由 发表于 2015年9月6日 14:28:25
  • 转载请务必保留本文链接:https://go.coder-hub.com/32420713.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定