Solutions to web service client certificates/auth best practices

亡梦爱人 提交于 2019-12-06 03:49:18

问题


I have a simple web service that has an API third party developers are allowed to access. The API mostly follows REST principles.

I'm interested in solutions to make the API more secure by requiring developers to use client certificates. Is there any open source solutions or other implementation advice any of you have that would assist in REST based APIs using user level certificates for auth?


回答1:


My generic advice would be to keep your API separate from your authentication routines. Your web server should handle the interaction for you.

Solutions for your side of the client-certificate scenario are dependent on your environment. You haven't posted that here, but it seems a targeted Google search should give you an idea of what's necessary.

Since you're providing an API to other parties, you do have some consideration regarding environment support for those developers. You're doing well with a REST basis, and most programming environments are going to interoperate with those rather well.

Client certificate support is likely going vary in terms of support efficiency across environments, platforms, etc. Additionally, you're now affecting client-side implementation when you require certificates. This will almost certainly put you in a position of requiring you to support your customers and get them up and running with your API. That means familiarity with other languages, web servers, frameworks, etc.




回答2:


The Python HTTP library supports client certificates, as does the urllib library that sits on top of it.



来源:https://stackoverflow.com/questions/1522368/solutions-to-web-service-client-certificates-auth-best-practices

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!