問題描述
OAuth2:保護非用戶資源 (OAuth2: Protecting non‑user resources)
我有一個 API。假設它允許用戶在排行榜上更新他們的分數。這使用 OAuth2。
代表用戶使用 OAuth2 的客戶端擁有 32 個字符的 ID 和機密。
我也有一些“公共”資源,不歸用戶所有。比如說獲取整體排行榜。
我希望客戶能夠通過 API 訪問它們。然而,這些客戶可能不是用戶(其他網站說),實現 OAuth 流程似乎過於復雜。但是,我還希望客戶能夠識別自己以跟踪誰在使用它,並在需要時實施速率檢查。
OAuth2 中有什麼允許這樣做的嗎?client_credentials 用於“受信任的客戶”,而這些不會是這樣的。
或者,我是否對這些端點使用不同形式的身份驗證,以便客戶端執行 Authorization: Token [CLIENT_ID] 而不是 Authorization: Bearer [OAUTH2_TOKEN]?
參考解法
方法 1:
For the non‑protected resources, you can put those on the internet without any OAuth protection.
However, if you do that, you can't really trust the information the client sends you. So it depends on how important it is to validate the client ID they send.
If it's for throttling, that might be enough justification to run that through OAuth so someone doesn't lie about their client ID and steal someone else's bandwith. But that's a judgement call.
If you need to trust the information that they're sending in, even if it's just an identifier, then you're probably better off having them send in their access token, rather than coming up with a special protocol & definition of a different token.
Or just trust the ID they send.