在GET URL中指定OAuth令牌 [英] Specify OAuth token in GET URL

问题描述

我的REST服务使用OAuth 2.0身份验证.我想使用浏览器(不使用客户端)测试一些GET URL.我可以在URL中传递不记名令牌吗?网址:www.example.com/employee/employeeId

My REST service uses OAuth 2.0 authentication. I want to test some GET URLs using the browser (without using a client). Can I pass the bearer token in the URL ? URL : www.example.com/employee/employeeId

推荐答案

您可以在 access_token 查询参数中传递它，请参见

You can pass it in the access_token query parameter, see https://tools.ietf.org/html/rfc6750#section-2.3, but as noted in the other answer, it is not the preferred way of passing a token. It may end up in logs, browser cache etc. On this method the spec says:

由于与URI方法相关的安全性弱点
(请参阅第5节)，包括URL
的可能性很大.包含访问令牌的日志将被记录，不应使用
除非无法在
中传输访问令牌授权"请求标头字段或HTTP请求实体正文.资源服务器可以支持这种方法.

Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body. Resource servers MAY support this method.

此方法用于记录当前使用情况；它的用途不是
建议，因为其安全性不足(请参阅第5节)，并且
也因为它使用保留的查询参数名称，即
柜台URI命名空间的最佳实践，每的点击建筑万维网，第一卷" [W3C.REC-webarch-20041215].

This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].

因此，您还应该注意，资源服务器(或API)甚至可能不支持这种令牌传递方法.唯一必须实施的方法是Authorization标头方法.

So you should also be aware that the Resource Server (or API) may not even support this method of token passing. The only method that is mandatory to implement is the Authorization header method.

这篇关于在GET URL中指定OAuth令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！