You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the manager's open APIs are free to call from anywhere anonymously, which is not secure.
Goal: Add some sort of authentication support to very the identity of the clients (i.e. authorized agent/dataproxy/sdk etc)
Mechanisms
There are several ways to provide web api authentication, with the typical two described below:
The auth process is simple:
A) The api server side generates a secretID & secretKey pair for each client who wants access.
B) The client encode the id & key pair (base64) in the http header.
C) The server's interceptor / filter retrieves the secretID and compares the secretKey param with the true secretKey stored at some database (usually encrypted)
Pros:
Light and easy to understand
little extra work to use
Cons:
Since base64 is used, it is not secure in non-encrypted channel.
So it must be used along with HTTPS.
2. API Secure Signature
This is commonly used in public cloud apis, like the one described in this Tencent cloud approach.
The auth process is roughly like this:
A) The api server side generates a secretID & secretKey pair for each client who want access.
B) The client organize some of the request context info (URI、domain、sorted params、body data etc) into a basic string.
C) Then client use RSA or hashing to encrypt this string to a signature with the secretKey
D) The client request the API with the signature and secretID
E) The server retrieves the secretID, find its corresponding secretKey, and uses the same encoding process as B) and C) to calculate the signature.
F) The server compares its calculated signature and the one from the request to determine the final authenticating result.
Pros:
More secure, since the secretKey is not transported across the network but merely as part of the signature. Thus can also be used in unencrypted channels like HTTP.
Cons:
The process is more sophisticated and thus error prone. Steps like B) has no standards to follow. Often need more debugging time for the user.
Suggest choosing the basic auth approach for the following reasons:
We should always use HTTPs as a modern web application. Thus we enforce it and basic auth is easy and sufficiently secure.
The open APIs exposed by manager are quite limited and are usually read only (Most important of which includes configuration query for agency and dataproxy
Description
Currently the manager's open APIs are free to call from anywhere anonymously, which is not secure.
Goal: Add some sort of authentication support to very the identity of the clients (i.e. authorized agent/dataproxy/sdk etc)
Mechanisms
There are several ways to provide web api authentication, with the typical two described below:
1. Basic Access Authentication
https://en.wikipedia.org/wiki/Basic_access_authentication
The auth process is simple:
A) The api server side generates a secretID & secretKey pair for each client who wants access.
B) The client encode the id & key pair (base64) in the http header.
C) The server's interceptor / filter retrieves the secretID and compares the secretKey param with the true secretKey stored at some database (usually encrypted)
Pros:
Cons:
2. API Secure Signature
This is commonly used in public cloud apis, like the one described in this Tencent cloud approach.
The auth process is roughly like this:
A) The api server side generates a secretID & secretKey pair for each client who want access.
B) The client organize some of the request context info (URI、domain、sorted params、body data etc) into a basic string.
C) Then client use RSA or hashing to encrypt this string to a signature with the secretKey
D) The client request the API with the signature and secretID
E) The server retrieves the secretID, find its corresponding secretKey, and uses the same encoding process as B) and C) to calculate the signature.
F) The server compares its calculated signature and the one from the request to determine the final authenticating result.
Pros:
Cons:
Suggest choosing the basic auth approach for the following reasons:
InLong Component
InLong Manager
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: