I am writing a server used ASP.NET Web Api template and implementing rest services. This server will be a backend for a mobile game where it will store the users' highscores, progress, and other information. I have taken a look at a number of approaches (this, this, and this) and I am having trouble deciding what approach to use. In my case I would like to prevent fraud of scores primarily since each user account will contain limited info (outside of their email). Here is what would ideally be happening.
我正在编写一个使用ASP.NET Web Api模板的服务器并实现其他服务。该服务器将成为移动游戏的后端,它将存储用户的高分,进度和其他信息。我已经看了很多方法(这个,这个和这个),我无法决定使用什么方法。在我的情况下,我想防止分数欺诈,主要是因为每个用户帐户将包含有限的信息(在他们的电子邮件之外)。这是理想情况下会发生的事情。
- User opens app for the first time
- User is given option for custom username and this is checked by server so there aren't duplicates
- User is given a randomly generated six-digit pin number (so they can use the same account on different phones)
- User enters email address
- New user is created on server (server verifies that the account was created by a valid instance of my client application)
- User plays game, uploads results (Via basic authentication?)
- User can view global results (no security on GET methods that aren't user specific)
用户第一次打开应用程序
用户可以选择自定义用户名,服务器会对此进行检查,因此没有重复项
用户将获得一个随机生成的六位数密码(因此他们可以在不同的手机上使用相同的帐号)
用户输入电子邮件地址
在服务器上创建新用户(服务器验证该帐户是否由我的客户端应用程序的有效实例创建)
用户玩游戏,上传结果(通过基本身份验证?)
用户可以查看全局结果(对非特定于用户的GET方法没有安全性)
I'm having trouble narrowing down what type of authentication (no browser login screens and such) and authorization methods to use. Any help would be greatly appreciated.
我无法缩小使用哪种类型的身份验证(没有浏览器登录屏幕等)和授权方法。任何帮助将不胜感激。
-Tamas
2 个解决方案
#1
5
Even if you are using basic authentication you will want to use HTTPS. If you are using HTTPS then you can use client certificates to verify the client also. Only clients with a valid certificate will be given access. If you are not opening up this API to other consumers and it will only be used by a client developed by you, you may to want to consider WS-Security and WCF. There is a entertaining description of the differences using naked motorcycle drivers as a metaphor here.
即使您使用的是基本身份验证,也需要使用HTTPS。如果您使用的是HTTPS,则可以使用客户端证书来验证客户端。只有具有有效证书的客户才能获得访问权限。如果您没有向其他消费者开放此API,并且它只会由您开发的客户端使用,您可能需要考虑WS-Security和WCF。在这里,使用裸体摩托车驾驶员作为比喻,有一个有趣的描述差异。
#2
1
If it's from different client/devices, something like token based authentication might work for you.
如果它来自不同的客户端/设备,基于令牌的身份验证可能适合您。
The idea is simple, you have Authentication method in yours Web service. This method is responsible for checking credential and issuing of 'Token'. Some simple structure like SHA1 or MD5 string which all further client calls are using.
这个想法很简单,你的Web服务中有Authentication方法。此方法负责检查凭证和发出“令牌”。一些简单的结构,如SHA1或MD5字符串,所有其他客户端调用正在使用。
If client is authenticated it stores the token for whole duration of session. The rest of Web service methods, like SaveScore just accepting token as parameter. They then responsible to check is it valid or not. If token is not valid the call is not being served.
如果客户端已通过身份验证,则会在整个会话期间存储令牌。其余的Web服务方法,如SaveScore只接受令牌作为参数。然后他们负责检查是否有效。如果令牌无效,则不会提供呼叫。
#1
5
Even if you are using basic authentication you will want to use HTTPS. If you are using HTTPS then you can use client certificates to verify the client also. Only clients with a valid certificate will be given access. If you are not opening up this API to other consumers and it will only be used by a client developed by you, you may to want to consider WS-Security and WCF. There is a entertaining description of the differences using naked motorcycle drivers as a metaphor here.
即使您使用的是基本身份验证,也需要使用HTTPS。如果您使用的是HTTPS,则可以使用客户端证书来验证客户端。只有具有有效证书的客户才能获得访问权限。如果您没有向其他消费者开放此API,并且它只会由您开发的客户端使用,您可能需要考虑WS-Security和WCF。在这里,使用裸体摩托车驾驶员作为比喻,有一个有趣的描述差异。
#2
1
If it's from different client/devices, something like token based authentication might work for you.
如果它来自不同的客户端/设备,基于令牌的身份验证可能适合您。
The idea is simple, you have Authentication method in yours Web service. This method is responsible for checking credential and issuing of 'Token'. Some simple structure like SHA1 or MD5 string which all further client calls are using.
这个想法很简单,你的Web服务中有Authentication方法。此方法负责检查凭证和发出“令牌”。一些简单的结构,如SHA1或MD5字符串,所有其他客户端调用正在使用。
If client is authenticated it stores the token for whole duration of session. The rest of Web service methods, like SaveScore just accepting token as parameter. They then responsible to check is it valid or not. If token is not valid the call is not being served.
如果客户端已通过身份验证,则会在整个会话期间存储令牌。其余的Web服务方法,如SaveScore只接受令牌作为参数。然后他们负责检查是否有效。如果令牌无效,则不会提供呼叫。