Geek asks and answers

Open authentication mechanism for REST

I am developing a new service that will allow "customers" to register and pay usage fees for the specific searches that they perform. This service will be opened using the RESTFul and SOAP interfaces. Typically, the web service will integrate with the client’s website and then be exposed to a “public” where someone can use the client’s website and take advantage of my web service features (which the client will pay, but has full control over moderate requests so they don’t get too much money).

I want to create a service that optimizes integration to make it as simple as possible. The web services API will change, so creating an internal proxy server to publish the web service to the public in some cases is an excessive disgust for customers. So the problem is what I see is creating a web service that balances authentication, security and integration.

Ideal

  • Do not use OAuth
  • Avoid forcing the client to create an internal proxy that re-provides the same web services API as I do.
  • Be safe (token username / pass all and ssl)
  • Embed the javascript library on the client website. It will be a JavaScript client library to simplify integration.
  • The Javascript library should be safe enough so that the public cannot just grab the credentials and reuse it themselves.
  • Do not be too hacked if possible, so the web service does not need to be rebuilt if Firefox 87 comes out (will be released in so many minutes) and resolves it to fubar.

It seems that this requires some kind of tripartite authentication process, i.e. authenticates a particular client (publicly), a web service (client) and a web service.

Has anyone implemented something similar and how did they deal with this situation?

I also understand that there is a balance between what can be done and what can violate cross-domain security, so maybe the whole web service can be opened by another GET interface that will return JSONP data.

/ ** Addition ** /

-, , . , . , , - .

-, , -, Javascript . - , Javascript script, .

-, script , . , - , "client-lib.js" - , - , "" "".

? - http-, ? ?

+5
2

, SO, - .

, , , , . , , .

, , , , , . , , , , .

, , :

  • , .
  • , , , . , - , .
  • , -, , URI .

- , , .

JS-, FF. , jQuery JS - AJAX.

script, - :

http://www.yourdomain.com/scripts/library.js?key={shared key}

, , :

  • , . - - - ​​ . 401: Unauthorized.
  • , ( , ) - , URI, . , -.
  • , .

- JS , , - , , . AJAX , , . RESTful - . cookie.

- - voila - .

, , , . - .

, , .

+2

- - (, javascript, , , ):

* ,

* js, js :

<script type="text/javascript" src="http://your.server.com/js.php?token=###&widget=xxx"></script>


<script type="text/javascript" src="http://your.server.com/js.js?token=###&widget=xxx"></script>

.htaccess

* php , , , js lib, -

* js ajax .., HTML ( , ..).

* , , , == server

EDIT:

REFERER HTTP .

, , , , / . AJAX, . , - oAuth

, , CSRF en.wikipedia.org/wiki/Cross-site_request_forgery

( , ), CSRF. - .

+1

More articles:


All Articles