OAuth 提供程序的正确 WWW-Authenticate 标头 [英] Proper WWW-Authenticate header for OAuth provider

问题描述

在 OAuth 1.0 规范中，建议回复以下 WWW-Authenticate 标头:

In the OAuth 1.0 spec it is suggested to respond with the following WWW-Authenticate header:

WWW-Authenticate: OAuth realm="http://server.example.com/"

是否适合向此标题添加任何其他信息数据?如果对受保护资源的请求失败，包含一些有关原因的信息是否合理?如:

Is it suitable to add any other informative data to this header? In case a request for a protected resource fails, would it be reasonable to include some information as to why? Such as:

WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid

或者这是否与响应头的目的相反?

Or is this contrary to the purpose of the response header?

推荐答案

我觉得有点可疑.WWW-Authenticate 标头由 一个 RFC 指定，这似乎是禁止你给出的例子.OAuth 规范说您可以包含 RFC 定义的其他 WWW-Authenticate 字段，而不是您可以在其末尾添加任意字符串.我会避免它，除非有一个定义的领域，你可以扭曲你的目的.

Sounds a little dubious to me. The WWW-Authenticate header is specified by an RFC, which would seem to forbid the example you've given. The OAuth spec says that you can include other WWW-Authenticate fields as defined by the RFC, not that you can just tack arbitrary strings onto the end of it. I would avoid it, unless there is a defined field that you could twist to your purposes.

这篇关于OAuth 提供程序的正确 WWW-Authenticate 标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！