C# Web API 创建 API 密钥
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11830338/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Web API creating API keys
提问by DarthVader
I'm interested in creating API keys for web.api and allowing clients to communicate with API using the API keys rather than authorization web.api provides.
我对为 web.api 创建 API 密钥并允许客户端使用 API 密钥而不是 web.api 提供的授权与 API 进行通信感兴趣。
I want multiple clients to be able to communicate with the web.api. instead of creating username and password, can I use an api key, and allow clients to communicate with client.
我希望多个客户端能够与 web.api 通信。我可以使用 api 密钥而不是创建用户名和密码,并允许客户端与客户端进行通信。
Is there such built-in functionality?
有这样的内置功能吗?
if one wants to implement it, how would you go around it?
如果有人想实施它,你会如何解决它?
采纳答案by cuongle
You are able to achieve by using HMAC Authentication. Basically, there might be a database table called ApiKey (apiKey, secretKey). Each client has each Apikey and secret Key:
您可以通过使用HMAC 身份验证来实现。基本上,可能有一个名为ApiKey (apiKey, secretKey)的数据库表。每个客户端都有每个 Apikey 和密钥:
ApiKey is like a public key and will be sent over HTTP (similar with username).
Secret Key is not sent over HTTP, use this secret key to do hmac some information and send hashed output to the server. From server side, based on the public key, you can get the relevent secret key and hash information to compare with hash output.
ApiKey 就像一个公钥,将通过 HTTP 发送(类似于用户名)。
密钥不是通过 HTTP 发送的,使用这个密钥来做 hmac 一些信息并将散列输出发送到服务器。从服务器端,根据公钥,您可以获取相关的密钥和哈希信息,以与哈希输出进行比较。
I have posted the detailed answer at: How to secure an ASP.NET Web API
我已在以下位置发布了详细答案:如何保护 ASP.NET Web API
You can change Username by ApiKey and Hashed Password by secret key on my answer to map with your idea.
您可以在我的答案中通过 ApiKey 更改用户名,并通过密钥更改哈希密码以映射您的想法。
