为什么我们比URL编码之类的其他技术更喜欢授权标头将承载令牌发送到服务器 [英] Why do we prefer Authorization Header to send bearer token to server over other techniques like URL encoding

问题描述

为什么Authorization标头通常用于将承载令牌发送到服务器?为什么我们不将授权令牌作为URL参数发送或将其作为json有效负载发布到请求正文中?

Why Authorization header is mostly used to send a bearer token to server? Why don't we send our authorization token as URL parameter or post it as json payload with the request body?

推荐答案

标头非常适合保存这些数据，它们独立于请求类型.

Headers are perfect to hold these data, they are independent of request type.

您可以在正文中发送授权令牌，甚至其他所有内容，例如 Content-Type ， Content-Length ，缓存标头也可以是不同的请求类型( POST ， GET ..)可以具有不同的请求正文格式. GET 使用查询参数 POST / PUT 在主体中以编码形式发送数据(带有 Content-类型:application/x-www-form-urlencoded ，以使服务器知道传入的数据格式)， Content-Type:application/json ，正文，JSON和其他形式带有JSON.在多部分请求中，事情变得更加复杂(请检查 https://stackoverflow.com/a/19712083/1017363 ).

You could send Authorization token in body, even everything other like Content-Type, Content-Length, cache headers also but different request types (POST,GET..) could have different request body format. GET sends data using query parameters POST/PUT in encoded form in the body (with Content-Type: application/x-www-form-urlencoded to make server aware of incomming data format), Content-Type: application/json with JSON in body, XML and others. Things get more complicated on multipart requests (check this https://stackoverflow.com/a/19712083/1017363).

因此，您可以在正文或查询中看到授权令牌，这会使客户端和服务器端的事情变得更加复杂.客户端应该知道如何在每个请求上放入"授权令牌，服务器应该知道然后如何读取该值.

So as you can see authorization token in body or query makes things more complicated on client and server side. Client should know how to "fit" authorization token on every request and server should know then how to read this value.

这篇关于为什么我们比URL编码之类的其他技术更喜欢授权标头将承载令牌发送到服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！