I'm building an API which allows our customers to interact with my PHP application programmatically. After reading this question it seems that I should provide the users of my application with two keys:
1) access token secret
(a very long string of random characters)
2) access token
(a much shorter string of random characters or numbers)
The idea behind these two tokens is so that the client signs (encrypts) his request with the access token secret
and transmits the request to our server. However, since the request is encrypted there's no way for the server to decrypt the message without first identifying which client is sending the request. The purpose of the "access token" is to help the server easily identify (look up) which client's "access token secret" to use to decrypt the message. Obviously, the client should not send the actual access token secret with the request as this would allow an adversary to intercept the client's secret token and sign messages on his behalf without his knowledge. Is this correct?
Assuming my understanding is correct, why not have the client simply use his username (the one he usually uses to login to his online account) instead of generating a custom access token?
Thank you
via Chebli Mohamed
Aucun commentaire:
Enregistrer un commentaire