问题
I'm developing a RESTful API for my app on GAE python and right now I'm trying to figure out the best way to secure this API. I have my own member/authentication mechanism on this app.
what is the best way to do this?
- having public/private key pairs
- becoming an OAuth provider
- HTTP authentication (seems very weak to me)
- other??
回答1:
First, discard HTTP Auth. It is not recommended in a true REST API since it resides on cookies.
I would go with OAuth. There's a library called appengine_oauth_provider, which could helps you to start implementing your own provider.
回答2:
You can use Google Service Account for User Authentication. However, people still can register an account and use your API and surely your app engine bill will go up. They've just introduce Google Cloud Endpoints at Google I/O 2012. You will have a Client ID which will only use on your client application(Android,iOS).
Google I/O 2012 - Building Android Applications that Use Web APIs with Yaniv Inbar and Sriram Saroop
Google I/O 2012 - Building Mobile App Engine Backends for Android, iOS and the Web
If you are interested in, you should try to sign up for trusted tester at
http://endpoints-trusted-tester.appspot.com/
来源:https://stackoverflow.com/questions/12625121/restful-api-authentication-security