PyPI 使用令牌的身份验证模式的名称是什么?
What is the name for this auth pattern used by PyPI with tokens?
如果您使用 PyPI 上传文件,您可以使用用户名和密码进行身份验证,或者您可以仅使用令牌进行身份验证,然后发送字符串 __token__,然后是带有前缀的令牌:
To use an API token:
Set your username to __token__
Set your password to the token value, including the pypi- prefix
您可以在他们的页面上查看更多详细信息:
https://pypi.org/help/#apitoken
这看起来很聪明 - 它不会破坏使用旧式凭据的人的体验,但允许您将一组减少的权限绑定到给定的令牌,这似乎更安全。
这种模式的名称是什么,它支持两种授权方式?我的意思是超出名称 'token based authentication',因为这不考虑此处提供的回退。
除了只需要拿到令牌就可以发送可能的恶意请求这一明显的缺点之外,这种方法还有哪些其他缺点?
我在一个项目中使用 RSS,它似乎是一种很好的方式来提供对旧版 RSS 阅读器的访问,同时仍然支持 API.
的更多用例
这里是 PyPI 管理员:我们称之为“妥协”。 PyPI 需要完全 backwards-compatible 与仅支持基本 HTTP 身份验证的现有客户端一起使用,因此这确实是我们在该约束下唯一可用的选项。
我不确定是否有更好的名称。还有其他一些以不同方式使用的示例:
- https://api.data.gov/docs/api-key/(API 密钥为用户名,空密码)
- https://stripe.com/docs/api/authentication(API 密钥为用户名,空密码)
- https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens(常规用户名,API 密钥作为密码)
在对 issues on the warehouse project on github 进行更多挖掘后发现,带有 pypy- 前缀的 passwords/password 方法实际上比我最初想象的要强大得多。
基于一种称为 Maracoon 的身份验证凭证,as described in this paper from google
This paper introduces macaroons: flexible authorization credentials for Cloud services that support decentralized delegation between principals. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable.
Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. This paper describes macaroons and motivates their design, compares them to other credential systems, such as cookies and SPKI/SDSI, evaluates and measures a prototype implementation, and discusses practical security and application considerations. In particular, it is considered how macaroons can enable more fine-grained authorization in the Cloud, e.g., by strengthening mechanisms like OAuth2, and a formalization of macaroons is given in authorization logic.
如果您使用 PyPI 上传文件,您可以使用用户名和密码进行身份验证,或者您可以仅使用令牌进行身份验证,然后发送字符串 __token__,然后是带有前缀的令牌:
To use an API token:
Set your username to __token__ Set your password to the token value, including the pypi- prefix
您可以在他们的页面上查看更多详细信息: https://pypi.org/help/#apitoken
这看起来很聪明 - 它不会破坏使用旧式凭据的人的体验,但允许您将一组减少的权限绑定到给定的令牌,这似乎更安全。
这种模式的名称是什么,它支持两种授权方式?我的意思是超出名称 'token based authentication',因为这不考虑此处提供的回退。
除了只需要拿到令牌就可以发送可能的恶意请求这一明显的缺点之外,这种方法还有哪些其他缺点?
我在一个项目中使用 RSS,它似乎是一种很好的方式来提供对旧版 RSS 阅读器的访问,同时仍然支持 API.
的更多用例这里是 PyPI 管理员:我们称之为“妥协”。 PyPI 需要完全 backwards-compatible 与仅支持基本 HTTP 身份验证的现有客户端一起使用,因此这确实是我们在该约束下唯一可用的选项。
我不确定是否有更好的名称。还有其他一些以不同方式使用的示例:
- https://api.data.gov/docs/api-key/(API 密钥为用户名,空密码)
- https://stripe.com/docs/api/authentication(API 密钥为用户名,空密码)
- https://docs.github.com/en/rest/overview/other-authentication-methods#via-oauth-and-personal-access-tokens(常规用户名,API 密钥作为密码)
在对 issues on the warehouse project on github 进行更多挖掘后发现,带有 pypy- 前缀的 passwords/password 方法实际上比我最初想象的要强大得多。
基于一种称为 Maracoon 的身份验证凭证,as described in this paper from google
This paper introduces macaroons: flexible authorization credentials for Cloud services that support decentralized delegation between principals. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable.
Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. This paper describes macaroons and motivates their design, compares them to other credential systems, such as cookies and SPKI/SDSI, evaluates and measures a prototype implementation, and discusses practical security and application considerations. In particular, it is considered how macaroons can enable more fine-grained authorization in the Cloud, e.g., by strengthening mechanisms like OAuth2, and a formalization of macaroons is given in authorization logic.