RESTful HTTP API 中的授权，401 WWW-Authenticate [英] Authorization in RESTful HTTP API, 401 WWW-Authenticate

问题描述

我正在创建一个 RESTful 服务来向 Web 应用程序提供数据.我对此有两个相关的问题.

I'm creating a RESTful service to provide data to a web application. I have two related questions about this.

我打算使用以下代码响应请求:

I'm intending to respond to requests with the following codes:

• 资源是否已打开并找到?200 正常
• 您是否需要通过身份验证才能访问资源?401 未经授权
• 您无权访问某个类别的资源吗?403 禁止
• 您是否有权访问某一类别的资源，但不能访问该特定资源?404 Not Found 以防止人们知道他们无权访问的资源的存在.
• 资源不存在吗?404 未找到

• Is the resource open and found? 200 OK
• Do you need to be authenticated to access the resources? 401 Unauthorized
• Don't you have access to a category of resources? 403 Forbidden
• Do you have access to a category of resources, but not to this specific resource? 404 Not Found to prevent people from getting to know the existance of a resource they do not have access to.
• Doesn't the resource exist? 404 Not Found

这是 RESTful 服务的推荐行为方式吗?

Is this a recommended way for a RESTful service to behave?

我在 Wikipedia 上阅读(可能不是最准确的资源，但它适用于我)401 响应 必须 包含一个 WWW-Authenticate 标头，但是在进一步搜索后，我真的找不到任何说明这个值的含义和应该是什么的资源是.

I read on Wikipedia (probably not the most accurate resource, but it works for me) that a 401 response must include a WWW-Authenticate header, however upon further searching I couldn't really find any resource that stated what this value means and what it should be.

我发现了几个关于此标头的 SO 问题和论坛主题，它们似乎都与 OAuth 有关，建议不要使用 401 状态代码，或者说你可以编造一些东西.

I found several SO questions and forum topics about this header and they all seem to be about OAuth, suggest against using 401 status codes or say you can just make something up.

此标头应包含的正确值是什么?

What is the correct value this header should contain?

推荐答案

回答您的问题:

如何处理未经授权的请求?

您描述的方式几乎是 RESTful 服务的推荐方式.据我所知，这绝对没有错.

The way you described it is pretty much the recommended way for a RESTful service. As far as I can see there is absolutely nothing wrong with that.

401 响应应该提供什么 WWW-Authenticate 标头?

通常 WWW-Authenticate 标头告诉客户端服务器将接受哪种身份验证.如果客户端发出未经授权的请求，这意味着他正在发送一个缺少或无效的 Authorization 标头的请求，服务器将使用 WWW-Authenticate 告诉客户端什么身份验证他将接受的方案(即 Basic、Digest 或 OAuth)以及适用于什么领域.

In general the WWW-Authenticate header tells the client what kind of authentication the server will accept. If the client makes an unauthorized request, which means he is sending a request with a missing or invalid Authorization header, the server will use WWW-Authenticate to tell the client what authentication scheme he will accept (i.e. Basic, Digest or OAuth) and for what realm.

把它想象成服务器端的某种识别问题或挑战，例如你是谁?"或通过以下方式提供凭据来证明您的身份！".

Imagine it like some kind of identification question or challenge on the part of the server, i.e. something like "Who are you?" or "Prove who you are by providing credentials in the following way!".

例如:WWW-Authenticate: Basic realm="My App"

这里服务器告诉客户端他使用了一个名为 Basic 的身份验证方案.领域只不过是一些标识服务器上受保护空间的字符串.

Here the server tells the client that he uses an authentication scheme named Basic. The realm is nothing more than some string that identifies a protected space on the server.

这篇关于RESTful HTTP API 中的授权，401 WWW-Authenticate的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！