如果第三方API身份验证失败，我的API应该返回什么HTTP错误代码? [英] What HTTP error codes should my API return if a 3rd party API auth fails?

问题描述

我正在编写REST-ish API服务，该服务提供了通过OAuth与其他第三方服务(本身就是REST API)中的最终用户数据进行交互的功能.一个常见的例子可能是将数据从我的服务发布到第三方服务，例如Facebook或Twitter.

I'm writing a REST-ish API service the provides the ability to interact with the end user's data in other 3rd party services (themselves REST APIs) via OAuth. A common example might be publishing data from my service to a third-party service such as Facebook or Twitter.

例如，假设我与最终用户和Facebook进行OAuth跳舞，从而产生了一些短期访问令牌，我的服务可以使用该令牌与用户的Facebook帐户进行交互.如果该访问令牌到期，并且用户尝试使用我的服务发布到Facebook，我该向用户返回哪种错误?

Suppose, for example, I perform an OAuth dance with the end user and Facebook, resulting in some short-term access token that my service can use to interact with the user's Facebook account. If that access token expires and the user attempts to use my service to publish to Facebook, what sort of error do I return to the user?

401在我看来并不完全正确；似乎401会通过MY服务应用于用户的身份验证状态.403似乎更合适，但也很通用.

401 doesn't seem quite right to me; it seems that 401 would apply to the user's auth state with MY service. 403 seems much more appropriate, but also quite generic.

推荐答案

401是必经之路.RFC2616的两个摘录定义了HTTP协议:

401 is the way to go. Two excerpts from the RFC2616 which defines the HTTP protocol:

第10.4.2节(约401条):

Section 10.4.2 (about 401):

如果请求已包含授权凭证，则401响应表明已拒绝那些人的授权证书.

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

这似乎适用于过期的令牌.有身份验证凭据，但是它们被拒绝，因此用户代理必须重新进行身份验证.

This seems to be appropriate for expired tokens. There are authentication credentials, but they're refused, so the user agent must re-authenticate.

第10.4.4节(约403条):

Section 10.4.4 (about 403):

服务器理解了该请求，但拒绝执行该请求.授权将无济于事，不应重复请求.

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

当尽管有用户凭据仍无法访问资源时，应使用此选项.可能是仅在美国受到亚洲IP攻击的网站/API或已被宣布为有害且已停用的网页(因此找到了WAS的内容，但服务器拒绝提供服务).

This should be used when the resource can't be accessed despite the user credentials. Could be a website/API that works only on US being hit by a asian IP or a webpage that has been declared harmful and was deactivated (so the content WAS found, but the server is denying serving it).

在OAuth2上，推荐的工作流程取决于令牌的传递方式.如果通过 Authorization 标头传递，则服务器可能返回401.通过查询字符串参数传递时，最合适的响应是400 Bad Request(不幸的是，最普通的HTTP响应).这是由OAuth2规范的5.2节 http://tools.ietf.org/html/draft-ietf-oauth-v2-26

On OAuth2, the recommended workflow depends on how the token is being passed. If passed by the Authorization header, the server may return a 401. When passed via query string parameter, the most appropriate response is a 400 Bad Request (unfortunately, the most generic one HTTP has). This is defined by section 5.2 of the OAuth2 spec http://tools.ietf.org/html/draft-ietf-oauth-v2-26

这篇关于如果第三方API身份验证失败，我的API应该返回什么HTTP错误代码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！