使用OAuth服务器到服务器的身份验证?
我目前正在指定我公司的新的合作伙伴/公共API,这将是一个面向资源的RESTful Web服务。此刻的拼图缺少的部分是认证/授权。
I'm currently working to specify my company's new partner/public API, which will be a resource-oriented RESTful web service. The missing piece of the puzzle at the moment is authentication/authorization.
的要求是:
- 最初,它必须适用于服务器到服务器的环境中,例如服务器应用程序必须能够识别自己,使我们知道是谁在调用API。
- 在未来,我们希望允许它模拟用户帐户,从而以及服务器被识别,将有一个令牌重新presents的用户帐户的有限的一段时间。
OAuth的,似乎是理想的(2)得到一个道理,重定向到用户在其中输入他们的凭证,授权它的网站,然后使用该令牌识别/验证这两个应用程序和用户的工作流程。
OAuth seems to be ideal for (2) with the workflow of getting a token, redirecting to the website where the user enters their credentials to authorize it, and then using that token which identifies/authenticates both the application and the user.
不过,从我看过,我不知道它是否适用于(1) - 即是没有什么办法,OAuth的,可以使用的只是的识别调用应用程序,而无需一个有效的用户特定的标记,因而不需要被重定向到一个网页,让他们输入凭据?
However, from what I have read, I don't know if it is suitable for (1) - i.e. is there any way that OAuth can be used just to identify the calling application without having a valid user-specific token and thus not needing to be redirected to a web page for them to enter their credentials?
是的,令牌的使用寿命,可以不设置为过期,直到你这么说。所以,你(手动)完成身份验证和授权,并保存供以后使用授权令牌。
Yes, the lifetime of the token can be set not to expire until you say so. So, you'd (manually) complete the authentication and authorisation, and save the authorized token for later use.
(您可以使用所有测试客户端来帮助您完成该手册的一部分,或者当你实现服务器自己:用一个所谓的双向OAuth)
(You can use any test client to help you complete that manual part, or while you're implementing the server yourself: use a so-called two-legged OAuth.)