doudongfu8006
doudongfu8006
2015-07-20 14:00
浏览 13
已采纳

API认证设计

I'm planning on building a web service consisting of two servers - an API backend (RESTful & stateless) and a web server frontend. The backend will be build with Go and the web server with PHP or Java.

Basically I'd like multiple users to log in with their web browsers through the use of their facebook or google credentials which I understand I must use OAuth for.

I'm however deeply confused about how I should design the authentication. Can I simply implement OAuth on the webserver alone and then use an API-key/secret to validate the webserver with my API and communicate over an encrypted connection between the two of them. Would that be secure and work just fine or should I implement authentication in some other way?

I've made a simple diregram showing my idea of how this could be done.

Authentication diagram

I really hope that you guys can point me in the right direction.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • douchen1944
    douchen1944 2015-07-20 14:06
    已采纳

    Two common approached to tacking the problem:

    Trusted subsystem model vs Delegation model

    Trusted subsystem

    Use a trusted subsystem model, it maybe impractical to maintain a separate key and secret for every user of the front end, the trusted subsystem model basically states that a system (web server) with authority to an api is responsible or trusted to authenticate/authorise users access to that api, and is given authority to do so.

    What you do is provision a account for the web server, and allow the web server to authorize access to the api.

    Delegation model

    If you have control over how the api authenticates you can use the same method as the frontend and reuse the end users security principal to authenticate to the back end api.

    点赞 评论

相关推荐