为什么要对授权标头进行base64编码? [英] Why should you base64 encode the Authorization header?
问题描述
Twitter的API要求发送一个Authorization标头,该标头是与API秘密密钥连接的API密钥的base64编码.在Node中,我使用:
Twitter's API requires sending an Authorization header that is a base64 encoding of an API key concatenated with an API secret key. In Node, I use:
var base64 = new Buffer(apiKey + ':' + apiSecret).toString('base64');
发送的标头变为:
Authorization: 'Basic ' + base64
base64对字符串"apiKeyHere:apiSecretHere"进行编码有什么意义?为什么不只接受包含原始api凭证的Authorization标头?
What is the point of base64 encoding the string "apiKeyHere:apiSecretHere"? Why not just accept an Authorization header containing the raw api credentials?
This question is similar to What is the purpose of base 64 encoding and why it used in HTTP Basic Authentication? but the voted answer doesn't fully answer my question. Twitter's api key and api secret key are already HTTP compatible characters. They look something like this (these are not real):
消费者密钥(API密钥)8dme3utVQfOhlPk5BUG9XbFxR
Consumer Key (API Key) 8dme3utVQfOhlPk5BUG9XbFxR
消费者机密(API机密)QFZXoC7MP72JZtGMBNpjLGI4Vl1xr1q9dyPLp3u7jGtkESpbLm
Consumer Secret (API Secret) QFZXoC7MP72JZtGMBNpjLGI4Vl1xr1q9dyPLp3u7jGtkESpbLm
那为什么要对base64进行编码?此外,该帖子还指出编码的目的是将用户名或密码中的非HTTP兼容字符编码为与HTTP兼容的字符".用户名和密码已经不是HTTP兼容字符吗?
So why base64 encode it? Furthermore, that post states "the intent of the encoding is to encode non-HTTP-compatible characters that may be in the user name or password into those that are HTTP-compatible." Wouldn't a username and password already be HTTP compatible characters?
推荐答案
事件虽然我在w3文档中找不到它,但我相信这是将Authorization标头的凭据编码为base64的协议,无论如何拥有的内容.对于Twitter,它与您所说的没有太大区别,但在其他情况下,凭据可以包含这些字符.为了使其统一并防止错误进行编码,应对所有凭据进行编码.
Eventhough I can't find it in the w3 documentation, I believe that it is just protocol to encode the credentials of the Authorization header to base64, no matter what content it has. In the case of Twitter it doesn't make much difference as you said, but in other cases the credentials can contain these characters. To keep it uniform and prevent mistakes of whether it should be encoded or not, all credentials should be encoded.
另一个原因可能是浏览器也以相同的方式对凭据进行编码. Twitter可能也想接受这一点.
Another reason could be, that browsers also encode the credentials the same way. Twitter probably also wants to accept that.
这篇关于为什么要对授权标头进行base64编码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
