如果第 3 方 API 身份验证失败，我的 API 应返回哪些 HTTP 错误代码? [英] What HTTP error codes should my API return if a 3rd party API auth fails?

问题描述

我正在编写一个 REST 风格的 API 服务，它提供了通过 OAuth 与其他 3rd 方服务(它们自己的 REST API)中的最终用户数据进行交互的能力.一个常见示例可能是将数据从我的服务发布到第三方服务，例如 Facebook 或 Twitter.

I'm writing a REST-ish API service the provides the ability to interact with the end user's data in other 3rd party services (themselves REST APIs) via OAuth. A common example might be publishing data from my service to a third-party service such as Facebook or Twitter.

例如，假设我与最终用户和 Facebook 进行了一次 OAuth 舞蹈，从而产生了一些短期访问令牌，我的服务可使用该令牌与用户的 Facebook 帐户进行交互.如果该访问令牌过期并且用户尝试使用我的服务发布到 Facebook，我会向用户返回什么类型的错误?

Suppose, for example, I perform an OAuth dance with the end user and Facebook, resulting in some short-term access token that my service can use to interact with the user's Facebook account. If that access token expires and the user attempts to use my service to publish to Facebook, what sort of error do I return to the user?

401 对我来说似乎不太合适；似乎 401 将适用于 MY 服务的用户身份验证状态.403 似乎更合适，但也很通用.

401 doesn't seem quite right to me; it seems that 401 would apply to the user's auth state with MY service. 403 seems much more appropriate, but also quite generic.

推荐答案

401 是要走的路.来自定义 HTTP 协议的 RFC2616 的两个摘录:

401 is the way to go. Two excerpts from the RFC2616 which defines the HTTP protocol:

第 10.4.2 节(关于 401):

Section 10.4.2 (about 401):

如果请求已经包含授权凭证，那么 401响应表明授权已被拒绝凭据.

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

这似乎适用于过期的令牌.有身份验证凭据，但被拒绝，因此用户代理必须重新进行身份验证.

This seems to be appropriate for expired tokens. There are authentication credentials, but they're refused, so the user agent must re-authenticate.

第 10.4.4 节(关于 403):

Section 10.4.4 (about 403):

服务器理解请求，但拒绝执行它.授权无济于事，不应重复该请求.

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

当尽管有用户凭据但仍无法访问资源时，应使用此方法.可能是仅在美国被亚洲 IP 攻击的网站/API 或已被宣布为有害并已停用的网页(因此已找到内容，但服务器拒绝为其提供服务).

This should be used when the resource can't be accessed despite the user credentials. Could be a website/API that works only on US being hit by a asian IP or a webpage that has been declared harmful and was deactivated (so the content WAS found, but the server is denying serving it).

在 OAuth2 上，推荐的工作流程取决于令牌的传递方式.如果通过 Authorization 标头传递，服务器可能会返回 401.当通过查询字符串参数传递时，最合适的响应是 400 Bad Request(不幸的是，最通用的 HTTP 请求).这是由 OAuth2 规范的第 5.2 节定义的 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26

On OAuth2, the recommended workflow depends on how the token is being passed. If passed by the Authorization header, the server may return a 401. When passed via query string parameter, the most appropriate response is a 400 Bad Request (unfortunately, the most generic one HTTP has). This is defined by section 5.2 of the OAuth2 spec https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26

这篇关于如果第 3 方 API 身份验证失败，我的 API 应返回哪些 HTTP 错误代码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！