I have read a lot about this on here and other articles. First let me explain my situation.

我在这里和其他文章上已经阅读了很多相关内容。首先让我解释一下我的情况。

Let's say I have the following REST backend:

假设我有以下REST后端：

GET /user returns all users in JSON. (No need to be logged-in)
POST /user registers new user. (No need to be logged-in)
DELETE /user deletes a user. (You do need to be logged-in)

GET / user返回JSON中的所有用户。 （无需登录）POST /用户注册新用户。 （无需登录）DELETE / user删除用户。 （您确实需要登录）

POST /login posts login credentials and returns a 200 OK on succesful authentication. Also this creates a session with the username.

POST / login发布登录凭据并在成功验证时返回200 OK。这也会创建一个使用用户名的会话。

DELETE /login logout, this deletes the session.

删除/登录注销，这将删除会话。

For user authentication and roles I use Deadbolt-2 so for example when DELETE /user is called first the session will be viewed to determine whether you are logged-in and then the username is used to determine if you have the correct permissions.

对于用户身份验证和角色，我使用Deadbolt-2，例如，当首先调用DELETE / user时，将查看会话以确定您是否已登录，然后使用用户名来确定您是否具有正确的权限。

This works. My question is not about this kind of authorization/authentication. It is however about the following:

这很有效。我的问题不是关于这种授权/认证。但是有以下几点：

I want to secure the "public" API calls like: GET /user in a way so only front-end applications that are approved by me can access them.

我希望以某种方式保护“公共”API调用，例如：GET / user，以便只有我批准的前端应用程序才能访问它们。

I have read a lot about api-keys and HMAC and oAuth. But it seems to me they are talking about the first scenario and not the second. So how would I go about this in my situation ?

我已经阅读了很多关于api-keys和HMAC以及oAuth的内容。但在我看来，他们谈论的是第一个场景而不是第二个场景。那么在我的情况下我该怎么做呢？

Thank you for your time.

感谢您的时间。

1 个解决方案

#1

---