如果服务器对第三方身份验证失败,将返回哪个http状态代码 [英] which http status code to return in case of server to third party auth failure
问题描述
我有一个方案,其中有一个Azure多租户应用程序.客户授予我们的服务权限,以使用授予我们多租户应用程序的授权代码流与Azure AD对话并从其Azure AD租户搜索(用户/AD组)数据.
I have a scenario where we have an Azure multi tenant app. Customers grant permission to our service to talk to Azure AD and search (users/AD groups) data from their Azure AD tenant using the authorization code flow granted to our multi-tenant app.
将Azure AD安装程序用户发布到我们的UI并尝试从其AAD租户搜索用户/组.我们的服务使用授予多租户应用程序的授权来调用AAD API.
Post the Azure AD setup users login to our UI and try to search users/groups from their AAD tenant. Our service calls AAD APIs using the authorization granted to our multi tenant app.
现在,如果客户的AAD管理员通过登录到他们的AAD控制台来删除对我们AAD多租户应用的访问权限,则当我们的服务尝试调用AAD API来搜索用户时,AAD开始抛出http 403(禁止访问).
Now if customer's AAD admin removes the access to our AAD multi tenant app by logging to their AAD console, AAD starts throwing http 403(Forbidden) when our service try to call AAD API to search users.
对于这种特定情况,应该向UI返回什么http状态代码? 我们希望将此信息告知用户,以便他们可以恢复多租户应用的授权.
What http status code should be returned to UI for this particular scenario? We want to inform the user about this so that they can restore the authorization of our multi tenant app.
我不认为返回http 4xx是个好主意.如果我们从UI预期中看到这不是客户端错误.
I don't think returning http 4xx is a good idea. If we see from the UI prospective it's not a client error.
我认为这是某种服务器错误.由于缺少授权,我们与AAD的连接中断的地方.
I think it is some kind of server error. Where our service to AAD connection is broken due to lack of authorization.
在这种情况下,请为5xx系列或4xx系列建议一个合理的http状态代码.
Please suggest a reasonable http status code from 5xx series or 4xx series for this scenario.
推荐答案
状态代码的4xx(客户端错误)类指示客户端 似乎已经犯了错误.除了回应HEAD要求外, 服务器应发送包含以下内容的说明的表示形式: 错误情况,以及它是临时的还是永久的 条件.
The 4xx (Client Error) class of status code indicates that the client seems to have erred. Except when responding to a HEAD request, the server SHOULD send a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition.
有效负载是向最终用户传达实际问题的主要方式.
The payload is the primary way to communicate to the end user what the actual problem is.
HTTP状态代码为元数据;目标受众是参与消息交换的通用组件.在网络上,有效载荷是为人类服务的;状态代码用于浏览器,缓存,爬虫等.
HTTP status codes are meta-data; the target audience is the general purpose components participating in the message exchange. On the web, the payload is for the human being; the status codes are for the browser, caches, spiders, and so on.
对于您来说,请求就可以了.特别是,客户无法采取任何措施来改善结果.所以4xx应该不在桌子上.
In your case, the request is fine. In particular, there is nothing that the client can do to improve the result. So 4xx should be off the table.
状态代码的5xx(服务器错误)类指示服务器 知道它已犯错或无法执行 请求的方法.
The 5xx (Server Error) class of status code indicates that the server is aware that it has erred or is incapable of performing the requested method.
5xx类的状态代码比4xx类要少得多(主要是因为其他组件无法采取纠正措施).
The 5xx class of status codes is a lot less specific than the 4xx class (primarily because there are no corrective actions that can be taken by the other components).
您可以使用的真正选择是
The real options available to you are
- 500内部服务器错误
- 503服务不可用
服务不可用很有趣,因为它定义了一堆Retry-After语义;您可以与通用组件进行交流,以估计何时可以解决问题,然后这些组件可以判断如何处理该信息.
Service Unavailable is interesting in that it has a bunch of Retry-After semantics defined; you get communicate to the general purpose components an estimate of when the problem may be fixed, and then those components can judge what to do with that information.
503(服务不可用)状态代码表示服务器 由于暂时超载,当前无法处理该请求 或计划的维护,可能会在某些时间后减轻 延迟.
The 503 (Service Unavailable) status code indicates that the server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay.
因此,如果您认为可以估计事情重新开始之前的延迟,那么503可能是有意义的.
So if you think you can estimate the delay before things are working again, then 503 may make sense.
500(内部服务器错误)状态代码表示服务器 遇到意外状况,无法实现 请求.
The 500 (Internal Server Error) status code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request.
这是一个非常令人满意的选择. 我们现在出乎意料地崩溃了."
That's a perfectly satisfactory alternative. "We are unexpectedly broken right now".
5xx响应的有效载荷再次可用于将更具体的语义传达给客户端.
Again the payload of the 5xx response can be used to communicate more specific semantics to the client.
这篇关于如果服务器对第三方身份验证失败,将返回哪个http状态代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
