基本 HTTP 和承载令牌认证 [英] Basic HTTP and Bearer Token Authentication

问题描述

我目前正在开发一个 REST-API，它是为开发环境提供 HTTP-Basic 保护的.由于真正的身份验证是通过令牌完成的，我仍在尝试弄清楚如何发送两个授权标头.

I am currently developing a REST-API which is HTTP-Basic protected for the development environment. As the real authentication is done via a token, I'm still trying to figure out, how to send two authorization headers.

我试过这个:

curl -i http://dev.myapp.com/api/users 
  -H "Authorization: Basic Ym9zY236Ym9zY28=" 
  -H "Authorization: Bearer mytoken123"

例如，我可以为我的 IP 禁用 HTTP 身份验证，但由于我通常在具有动态 IP 的不同环境中工作，这不是一个好的解决方案.所以我错过了什么吗?

I could for example disable the HTTP-Authentication for my IP but as I usually work in different environments with dynamic IPs, this is not a good solution. So am I missing something?

推荐答案

试试这个在 url 推送基本认证:

Try this one to push basic authentication at url:

curl -i http://username:password@dev.myapp.com/api/users -H "Authorization: Bearer mytoken123"
               ^^^^^^^^^^^^^^^^^^

如果上面的一个不起作用，那么你与它无关.因此，请尝试以下替代方法.

If above one doesn't work, then you have nothing to do with it. So try the following alternates.

您可以使用其他名称传递令牌.因为您正在处理来自您的应用程序的授权.因此，您可以轻松地将这种灵活性用于此特殊目的.

You can pass the token under another name. Because you are handling the authorization from your Application. So you can easily use this flexibility for this special purpose.

curl -i http://dev.myapp.com/api/users 
  -H "Authorization: Basic Ym9zY236Ym9zY28=" 
  -H "Application-Authorization: mytoken123"

注意我已将标题更改为 Application-Authorization.因此，从您的应用程序中捕获该标头下的令牌并处理您需要执行的操作.

Notice I have changed the header into Application-Authorization. So from your application catch the token under that header and process what you need to do.

您可以做的另一件事是，通过 POST 参数传递 token 并从服务器端获取参数的值.例如使用 curl post 参数传递令牌:

Another thing you can do is, to pass the token through the POST parameters and grab the parameter's value from the Server side. For example passing token with curl post parameter:

-d "auth-token=mytoken123"

这篇关于基本 HTTP 和承载令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！