Geek asks and answers

RESTful authentication. Client side, without authentication

I am implementing a set of RESTful services for some developments, and one of them is an authentication service .

This authentication service authenticates two types of identifiers:

  • Applications . Authentication is based on AppKey, so customers must register for a key to gain access to other services.
  • Users . Known user authentication (user + password), so people and computers can work with these RESTful services through client applications.

These RESTful services are void .

When a client application authenticates using the service authentication service , or when a person or a machine is authenticated as an identifier by using the credentials, both operations generate AppToken and UserToken respectively.

These tokens are a salty hash, so subsequent requests to the RESTful infrastructure will be authenticated without exchanging AppKeys and credentials.

Formulate the point of view of a completely stateless approach, these tokens should not be stored at the service level, but in some kind of client state (i.e. the web client will store it using HTTP cookies). Here's how my current implementations work right now .

, , , , , , , , AppToken UserToken, ( ), , , , .

? . -, cookie , cookie .

RESTful : - . - -.

, , - , : / , , , .

, - , (fe, 1 , 3 , ...), , , (8 , )?. , ?

, :

  • , , , , , (fe 24 ).

  • , , ( ... , -? , ... ... , , ... ? ).

  • , .

! - 1., 2. 3. - ?

- , -!

+5
2

:

, , .

?

, , ( , ):

  • . - . " , (, , ...). ( ).
  • , HTTPS/SSL.

:

  • . (AppKey).

  • .

  • (AppToken), , .

  • AppToken - ( JSON):

    • (* SHA - ), . + ( ). date?. , - ? , , + AppKey , .
    • . UTC + .
    • . UTC DateT + , .

  • 4 (, JSON). ** AppKey . Rijndael .

  • , . AppKey, , .

  • , AppToken. , , , .

.NET :

  • System.Security.Cryptography.RijndaelManaged . AppKey, AppToken ( ) RijndaelManaged.

  • HEX. . (API RESTFul) HEX, AppToken, ​​ . , HEX, , , , .

. , .

-1

, . .

  • [X]SS - X, S
  • [X|Y] - X Y
  • Y [M]SY -> S - Y M S.

: C S.

  • C PKC A, C (PKA).

  • A [now + interval | user-id or PKC]SA -> C

    :

    A / . , PKC ( , ).

    [now + interval | user-id or PKC] = T

    A ;

    [T]SA

  • C - S.

  • C [[M|[T]SA]SC -> S

    C M , A, S.

  • S , C C- SC, .

    S SA . , .

    S [T]SA: user-id/PKC >= . C. , .

    (: S C, )

  • S [M2]SS C.

; - .

'# Sign Data RSA Bouncy Castle , , .

; ( !)), , (CSR), .

Post Scriptum

- , , /. PKC , , .

, , , (UUID/GUID) T , , UUID . , , T.

-

, . . Amazon REST , :

API- Amazon S3 REST HTTP -HMAC ( Hash Message) . , . AWS HMAC . " ", HMAC "" . , , , .

Amazon.

/

  • SSL, , .
  • , . REST- , . , nonce.
+7

More articles:


All Articles