duancilan5124
2016-10-22 16:46
浏览 72
已采纳

golang JSON RPC授权

I was experimenting with RPC as alternative to some services actually implemented using http REST APIs. Since this services are actually not public and are used only by other services using RPC could make more sense.

I'm looking for some hint regarding RPC authorization best practices since I'm really not sure about the way to follow.

I'm using golang for this

  • how do I make sure an RPC get used only by authorized services

  • can I authorize only a subset of the exposed procedures

Thx

图片转代码服务由CSDN问答提供 功能建议

我正在尝试使用RPC作为使用HTTP REST API实际实现的某些服务的替代方法。 由于此服务实际上是不公开的,并且仅由使用RPC的其他服务使用才更有意义。

我正在寻找有关RPC授权最佳做法的一些提示 自从我真的

我正在为此使用golang

  • 我如何确定 RPC仅由授权服务使用

  • 我可以仅授权暴露过程的子集

    Thx

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • drui0508 2016-10-22 18:18
    已采纳

    You could handle authorisation in a similar way to authorisation of REST services.

    JSON Web Tokens (JWT) are a widely used authorisation method. You can find demonstrations and a conceptual overview of JWTs at jwt.io. In brief, JWTs are a signed JSON object, encoded as a string. The JSON object can make any number of arbitrary "claims" about the permissions the client has.

    Your service would sign a JWT (using a private key) and pass it to the client during authentication, which I suggest would be done by a JSON-RPC method that checks the permissions of the client (by API key, username and password or whatever). Your protected methods could then require a JWT as one of their parameters: performing their normal functionality if the JWT is verified and has the correct claims, else returning an error.

    I suggest having a look at the github.com/dgrijalva/jwt-go package. It provides methods for issuing and verifying JWTs.

    打赏 评论

相关推荐 更多相似问题