我如何向单个 Restful API 应用程序授予对移动和 Web 应用程序的访问权限
How do i grant access to mobile and web apps to a single Restful API Application
我打算编写一个通过 API 访问后端的 vue 网络应用程序。 Web 应用程序本身有一个前端和一个需要登录的后端。我打算授予 api 访问网络应用程序、android 应用程序和 ios 应用程序的权限。问题是,如何在不使用 oAuth、authO 或 Okta 的情况下向不同平台上的特定应用程序授予后端权限。 JWT 可以在这种情况下工作吗?
用于身份验证的 JWT
Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
Auth0 和 Okta 是使用 OAuth2 and/or OpenID Connect standards to Authenticate users, and the resulting token is a JWT, more precisely a signed JWT, that is known by JWS:
的身份验证提供程序
A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard (RFC 7515) for signing arbitrary data.
This is used as the basis for a variety of web-based technologies including JSON Web Token.
Can JWT work in such cases?
是的,您只需要找到正确的包以在您的 API 服务器和前端中使用。
请记住,用户身份验证仅标识请求中的 Who,而不是 What 在执行请求,并且在我的经验 我看到这是开发人员中的一个普遍误解,无论是初级还是高级。
谁和什么在访问您的 API 服务器之间的区别
我写了一个 series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? 我会更详细地介绍 Who 和 What 之间的区别正在访问您的 API 服务器:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
我希望您在阅读后意识到 谁 是您的 API 服务器将能够验证和授权访问数据的用户, What 是代表用户提出请求的软件。
将 API 服务器锁定到特定应用程序
I intend to grant api access to the web app, an android app and ios app. Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
好吧,你给自己买了一个难以解决的问题,但我们开发人员喜欢挑战,不是吗 ;)
虽然用户身份验证可以让 API 服务器知道 谁 在使用 API,但不能保证请求来自 您所期望的,您的移动应用程序或网络应用程序的原始版本,令您惊讶的是,您最终可能会发现有时您自己的合法用户可能会尝试绕过您的服务并使用您的移动应用程序的重新打包版本应用程序或自动化脚本来访问他们在其他情况下无法获得的功能或优势。
为了保护您的 API 服务器,您需要尽可能多地应用深度防御(就像过去几个世纪在城堡中所做的那样)并且法律或特定市场可能会要求规定。
对于网络应用程序
在 Web 应用程序的上下文中,您可能希望按照我对 this answer 的建议来解决 保护 api 来自应用程序调用的数据的问题,特别是标题为 捍卫 API 服务器 .
的部分
对于移动应用
对于移动应用程序,API 服务器在使用移动应用程序证明的概念时可以更有信心什么 正在发出请求,并且您可以阅读 this answer 我给出的问题 How to secure an API REST for mobile app? 以获得更多详细信息。您需要专门阅读 保护 API 服务器 部分和 可能更好的解决方案 .
部分
您想加倍努力吗?
在我对安全问题的任何回复中,我总是喜欢引用 OWASP 基金会的出色工作,它可以帮助您增强应用程序和服务器的安全性。
对于网络应用程序
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.
我打算编写一个通过 API 访问后端的 vue 网络应用程序。 Web 应用程序本身有一个前端和一个需要登录的后端。我打算授予 api 访问网络应用程序、android 应用程序和 ios 应用程序的权限。问题是,如何在不使用 oAuth、authO 或 Okta 的情况下向不同平台上的特定应用程序授予后端权限。 JWT 可以在这种情况下工作吗?
用于身份验证的 JWT
Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
Auth0 和 Okta 是使用 OAuth2 and/or OpenID Connect standards to Authenticate users, and the resulting token is a JWT, more precisely a signed JWT, that is known by JWS:
的身份验证提供程序A JSON Web Signature (abbreviated JWS) is an IETF-proposed standard (RFC 7515) for signing arbitrary data.
This is used as the basis for a variety of web-based technologies including JSON Web Token.
Can JWT work in such cases?
是的,您只需要找到正确的包以在您的 API 服务器和前端中使用。
请记住,用户身份验证仅标识请求中的 Who,而不是 What 在执行请求,并且在我的经验 我看到这是开发人员中的一个普遍误解,无论是初级还是高级。
谁和什么在访问您的 API 服务器之间的区别
我写了一个 series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? 我会更详细地介绍 Who 和 What 之间的区别正在访问您的 API 服务器:
The what is the thing making the request to the API server. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman?
The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows.
我希望您在阅读后意识到 谁 是您的 API 服务器将能够验证和授权访问数据的用户, What 是代表用户提出请求的软件。
将 API 服务器锁定到特定应用程序
I intend to grant api access to the web app, an android app and ios app. Question is, how do i grant backend permission to specific apps on different platforms without using oAuth, authO or Okta.
好吧,你给自己买了一个难以解决的问题,但我们开发人员喜欢挑战,不是吗 ;)
虽然用户身份验证可以让 API 服务器知道 谁 在使用 API,但不能保证请求来自 您所期望的,您的移动应用程序或网络应用程序的原始版本,令您惊讶的是,您最终可能会发现有时您自己的合法用户可能会尝试绕过您的服务并使用您的移动应用程序的重新打包版本应用程序或自动化脚本来访问他们在其他情况下无法获得的功能或优势。
为了保护您的 API 服务器,您需要尽可能多地应用深度防御(就像过去几个世纪在城堡中所做的那样)并且法律或特定市场可能会要求规定。
对于网络应用程序
在 Web 应用程序的上下文中,您可能希望按照我对 this answer 的建议来解决 保护 api 来自应用程序调用的数据的问题,特别是标题为 捍卫 API 服务器 .
的部分对于移动应用
对于移动应用程序,API 服务器在使用移动应用程序证明的概念时可以更有信心什么 正在发出请求,并且您可以阅读 this answer 我给出的问题 How to secure an API REST for mobile app? 以获得更多详细信息。您需要专门阅读 保护 API 服务器 部分和 可能更好的解决方案 .
部分您想加倍努力吗?
在我对安全问题的任何回复中,我总是喜欢引用 OWASP 基金会的出色工作,它可以帮助您增强应用程序和服务器的安全性。
对于网络应用程序
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
The Web Security Testing Guide:
The OWASP Web Security Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
对于移动应用程序
OWASP Mobile Security Project - Top 10 risks
The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.
OWASP - Mobile Security Testing Guide:
The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.
对于APIS
The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.