我想为访问我的 API 的用户实施配额,但我不确定我想到的流程是通过简单地阅读多个 API 管理解决方案的文档来完成的方法。
目前,我的流程可以描述如下:
- 用户向应用程序提供凭据
- 该应用程序调用我的授权服务器进行验证。如果成功,则将令牌返回给用户。
- 在以下请求中,应用程序将在访问服务之前针对授权服务器验证令牌(授权标头)。
我的问题是我无法根据令牌实施配额,因为我的用户将能够获得新令牌以避免限制。根据您的经验,是否可以在网关级别按用户管理配额,还是应该更改我的 API 身份验证方法?
此致,
问问题
150 次
1 回答
0
When we speak of api and token the most used model of communication is the protocol OAuth 2.0.
Through it, API users must authenticate to their respective OAuth authentication server (it could be a third-party server, eg facebook or google).
With the token in hand and this token is a token with a limited lifetime, the exposed API must validate this token against the OAuth resource server which will identify who will be the client / application that is requesting.
Therefore, using OAuth token it will be possible to identify the requester.
Regarding quota control if you will not use any API Management / Gateway market player (Ex: apigee) you must implement this control with a high-performance query engine. For a simpler solution a key value pair database could solve this problem (eg redis).
于 2017-07-01T01:59:03.567 回答