API认证方法综述

2015-09-18 本文已影响441人哲人善思

Open api authentication

Amazon
DigitalOcean
Webchat
Weibo
QQ

1. Amazon Web Services

HMAC Hash Message Authentication Code

核心思路

【Client】以某种次序组合数据
【Client】使用private key加密组合数据生成HMAC
【Client】将数据发送至Server端，包括
- 用户标识信息，如API Key，Client ID， User ID；用以标识你是谁
- Timestamp，避免重复攻击
- 生成的HMAC
- 其他数据

【Server】接收所有数据
【Server】检查Timestamp
【Server】使用用户标识信息，查询private key
【Server】从所有数据中取出HMAC
【Server】以Client相同的次序组合数据
【Server】使用private key加密组合数据生成HMAC
【Server】匹配一致，认为请求合法

提示：private key不传输

http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html

http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html

http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

1.1 Amazon Simple Storage Service （One of AWS）

Developers are issued an AWS access key ID and AWS secret access key when they register.

The Amazon S3 REST API uses the standard HTTP Authorization header to pass authentication information.

Authorization: AWS AWSAccessKeyId:Signature

开发者在注册的时候，会得到一个AWS access key ID和AWS secret access key。关于请求认证，
AWSAccessKeyId用来计算signature以及标识是哪一个开发者发起的请求。

Signature是请求中选定元素的RFC 2104 HMAC-SHA1算法生成的。

Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature;

Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) )

http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#ConstructingTheAuthenticationHeader

2. DigitalOcean

https

首先使用用户名密码登录管理平台
在管理平台，生成OAuth Token（实际上代替了Username和Password）
api请求在HTTP header中携带OAuth Token

curl例子

curl -X $HTTP_METHOD -H "Authorization: Bearer $TOKEN" "https://api.digitalocean.com/v2/$OBJECT"

curl -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"name": "example.com", "ip_address": "127.0.0.1"}' -X POST "https://api.digitalocean.com/v2/domains"

https://developers.digitalocean.com/documentation/v2/#authentication