自定义授权HTTP标头 [英] Customize the Authorization HTTP header
问题描述
我需要的时候,他发送至API请求验证客户端。客户端有一个API令牌,我想使用标准的授权头令牌发送到服务器。
I need to authenticate a client when he sends a request to an API. The client has an API-token and I was thinking about using the standard Authorization header to send the token to the server.
通常这个头是用于基本和摘要认证。但我不知道如果我允许自定义此头的值,并使用自定义的auth-方案,例如:
Normally this header is used for Basic and Digest authentication. But I don't know if I'm allowed to customize the value of this header and use a custom auth-scheme, e.g:
Authorization: Token 1af538baa9045a84c0e889f672baf83ff24
你会推荐这不?或者是有在发送令牌的更好的方法?
Would you recommend this or not? Or is there an better approach to sending the token?
推荐答案
您可以创建使用授权自己的定制身份验证模式:头 - 例如,这是如何 OAuth的工作。
You can create your own custom auth schemas that use the Authorization: header - for example, this is how OAuth works.
作为一般规则,如果服务器或代理不理解标准头文件的的值的,他们将离开他们单独和无视他们。这是创建自己的头的键的,往往会产生意想不到的结果 - 很多代理就会将头与他们不认识的名字
As a general rule, if servers or proxies don't understand the values of standard headers, they will leave them alone and ignore them. It is creating your own header keys that can often produce unexpected results - many proxies will strip headers with names they don't recognise.
话虽如此,它可能是一个更好的主意,使用Cookie来传输令牌,而不是授权方式:头,原因很简单,那饼干是明确设计进行自定义值,而规范HTTP内置的身份验证方法并没有真正说无论哪种方式 - 如果你想看看到底是什么不说,的 /rfc2616-sec14.html#sec14.8\">have看看。
Having said that, it is possibly a better idea to use cookies to transmit the token, rather than the Authorization: header, for the simple reason that cookies were explicitly designed to carry custom values, whereas the specification for HTTP's built in auth methods does not really say either way - if you want to see exactly what it does say, have a look here.
这个的另一点是,许多HTTP客户端库内置了支持消化和基本身份验证,但试图设置在标题字段的原始值时,可能使生活更加困难,而他们都将提供方便的支持饼干和允许在其中或多或少的任意值。
The other point about this is that many HTTP client libraries have built-in support for Digest and Basic auth but may make life more difficult when trying to set a raw value in the header field, whereas they will all provide easy support for cookies and will allow more or less any value within them.
这篇关于自定义授权HTTP标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
