我目前正在使用 microframework Flask 用 python 编写一个 REST API。 它是一个私有 API,处理用户数据。我计划使用这个 API 来构建一个 Web 和一个 Android 应用程序。
现在我使用摘要身份验证来保护私人用户数据。例如,如果您想使用用户 bob 在我的服务上发布数据,您可以在 myapi/story/create 发出发布请求,并使用摘要模式提供 bob 的凭据。
我知道这不是一个好的解决方案,因为:
-摘要身份验证不安全
- 客户端未经过身份验证(如何保护与当前用户无关的请求,例如创建一个新用户?)
我读了很多有关 oAuth 的内容,但三足身份验证似乎有点过分,因为我不打算打开我的第三方 API。
2-legged oAuth 不适合,因为它只为客户端提供身份验证,而不为用户提供身份验证。
oAuth 的另一个问题是我还没有找到在 Python 中实现它的综合指南。我找到了 python-oauth2 库,但我不理解服务器示例,也找不到其他文档。另外,这个示例似乎没有涵盖 oAuth 的许多方面。
所以我的问题是:
- 是否有替代方案(不是 oAuth)来以合理的安全级别对客户端和用户进行身份验证?
- 如果 oAuth 是最佳解决方案:
- 如何跳过授权流程(因为用户无需授权第三方客户端)?
- 是否有 python-oauth2 或任何其他 Python 库的详细文档?
任何帮助或建议将不胜感激。
I am currently writing a rest API in python with the microframework Flask. It's a private API and it deals with user data. I plan to use this API to build a web and an Android app.
For now I use digest auth to secure private user data. For example if you want to post data on my service with the user bob you make a post request at myapi/story/create and provide bob's credentials with the digest pattern.
I am aware this is not a good solution because :
-Digest auth is not secure
-The client is not authenticated (How to secure requests not related with current user, for example create a new user ?)
I read a lot of stuff about oAuth but the 3-legged authentication seems overkill because I don't plan to open my API to third party.
The 2-legged oAuth won't fit because it only provides authentification for clients and not for users.
Another problem with oAuth is that I haven't found a comprehensive guide for implementing it in Python. I found the python-oauth2 library, but I don't understand the server example and I can't find additional documentation. Plus it seems that many aspects of oAuth are not covered in this example.
So my questions are :
- Is there alternative scheme (not oAuth) for authenticate both client and user with a reasonable level of security ?
- If oAuth is the best solution :
- How to skip the authorization process (because users won't have to authorize third party clients)?
- Is there detailled documentation for python-oauth2 or for any other Python library?
Any help or advice will be appreciated.
发布评论
评论(3)
简单的答案是仅通过 HTTPS 公开您的 API,然后使用 HTTP 基本身份验证。我认为没有任何理由去打扰 Digest。基本身份验证是不安全的,但会随每个请求一起提交,因此您无需担心身份验证会过时或发生其他情况。通过 HTTPS 建立隧道,您将拥有安全的连接。
如果您想对客户端进行身份验证,可以使用 SSL 客户端证书。也就是说,一般来说,真正锁定客户端以防止恶意用户的攻击是相当困难的,因此我会考虑使注册功能公开访问,并通过带外帐户验证来保护自己免受 DOS 等攻击。
The simple answer is to expose your API via HTTPS only, and then use HTTP Basic authentication. I don't think there's really any reason to bother with Digest. Basic authentication is insecure, but is submitted with every request so you never need to worry about your authentication going stale or whatever. By tunneling it over HTTPS, you have a secure connection.
If you want to authenticate the client, you could use SSL client certificates. That said, in general it's pretty tough to really lock down the client against malicious users, so I would consider making the sign-up functions openly accessible and protect yourself from DOS etc via out-of-band account verification.
您是否已考虑使用基本身份验证?
我还没有使用你提到的框架,但我使用基本身份验证来保护基于 web.py 的应用程序中的一些网址并且工作正常。
基本上,您可以使用 base64 中的令牌,它实际上是标准的 http 标头。
也许这个例子可以帮助你:
Have you already considered to use the Basic Authentication?
I haven't used yet the framework you mentioned, but I used the basic auth to protect some urls in an app based on web.py and worked fine.
Basically, you can use a token in base64 which is actually a standard http heeader.
Maybe this example can help you:
如果您对基本身份验证感兴趣,这里有一个快速属性,您可以使用它来装饰处理程序 http://www.varunpant.com/posts/basic-authentication-in-web-py-via-attribute。这个例子主要是在 web.py 上下文中编写的,但我想它可以很容易地调整。
If you are interested in basic authentication, here is a quick attribute which you can use to decorate your handlers http://www.varunpant.com/posts/basic-authentication-in-web-py-via-attribute. This example is primarily written in web.py context, but I guess it can be easily tweaked.