这让我觉得 OpenID 可能是一个潜在的解决方案.在我看来它应该可以工作:实际密码由 OpenID 提供程序处理,因此它不依赖于 3rd 方应用程序.我认为问题可能在于各种传递,但这应该是可以管理的.但是,令人惊讶的是,这方面缺乏可 Google 的信息,所以我想征求一下 SO 的意见.有没有人以前实施过类似的系统?甚至有可能吗?值得麻烦吗? 解决方案 我完全同意你想要的是 OAuth;我说已经在 OAuth 和 OpenID 系统上工作过.我也遇到过你几次,不得不开发 REST 网络服务 api.有关 OAuth 的真正好主意,以及为什么它是您想要的,请参阅这些随附的文章:这些都是必读的,一共分为四部分:http://hueniverse.com/oauth/guide/RFC,请在阅读以上内容后阅读,因为它对大多数人来说可能有点令人生畏:http://oauth.net/core/1.0然后最后可能是一些代码.我托管了几个使用 Java/Groovy 进行 OAuth 的项目.一个是普通的旧 OAuth 客户端,另一个是与 NetFlix 进行特定交互的客户端.http://www.blueleftistconstructor.com/projects/如果您对 REST 相对缺乏经验(您还没有构建完整的 Web api),我建议您购买(或者最好让您的老板购买)Richardson & 的RESTful Web 服务".红宝石.这是一本 O'Reilly 的书.可以说是他们这几年出道的好书之一.查看一些基于 RESTful OAuth 的 API 也可能有所帮助.NetFlix API 是一个完美的例子:http://developer.netflix.com/docs祝你好运,编码愉快!I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble? 解决方案 I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.For a really good ideas on OAuth, and why it is what you want see these attached article:These are must read, there are four parts read them all:http://hueniverse.com/oauth/guide/the RFC, read after reading above as it can be a little daunting for most:http://oauth.net/core/1.0And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix.http://www.blueleftistconstructor.com/projects/If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docsGood luck and happy coding! 这篇关于使用 OpenID 的 Web 服务身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!
08-20 08:12
查看更多