Web 服务客户端证书/身份验证最佳实践的解决方案
我有一个简单的 Web 服务,它有一个允许第三方开发人员访问的 API.API 主要遵循 REST 原则.
I have a simple web service that has an API third party developers are allowed to access. The API mostly follows REST principles.
我对通过要求开发人员使用客户端证书来提高 API 安全性的解决方案感兴趣.是否有任何开源解决方案或其他实施建议可以帮助基于 REST 的 API 使用用户级证书进行身份验证?
I'm interested in solutions to make the API more secure by requiring developers to use client certificates. Is there any open source solutions or other implementation advice any of you have that would assist in REST based APIs using user level certificates for auth?
我的一般建议是将 API 与身份验证例程分开.您的网络服务器应该为您处理交互.
My generic advice would be to keep your API separate from your authentication routines. Your web server should handle the interaction for you.
适用于您的客户端证书方案的解决方案取决于您的环境.您尚未在此处发布该内容,但似乎有针对性的 Google 搜索应该能让您了解什么是必要的.
Solutions for your side of the client-certificate scenario are dependent on your environment. You haven't posted that here, but it seems a targeted Google search should give you an idea of what's necessary.
由于您向其他方提供 API,因此您确实需要考虑为这些开发人员提供环境支持.您在 REST 基础上做得很好,而且大多数编程环境都可以很好地与这些环境进行互操作.
Since you're providing an API to other parties, you do have some consideration regarding environment support for those developers. You're doing well with a REST basis, and most programming environments are going to interoperate with those rather well.
客户端证书支持在跨环境、平台等方面的支持效率可能会有所不同.此外,当您需要证书时,您现在会影响客户端实施.这几乎肯定会让您处于要求您支持客户并让他们使用您的 API 运行的位置.这意味着熟悉其他语言、网络服务器、框架等.
Client certificate support is likely going vary in terms of support efficiency across environments, platforms, etc. Additionally, you're now affecting client-side implementation when you require certificates. This will almost certainly put you in a position of requiring you to support your customers and get them up and running with your API. That means familiarity with other languages, web servers, frameworks, etc.