为什么我们更喜欢 Authorization Header 向服务器发送承载令牌而不是 URL 编码等其他技术 [英] Why do we prefer Authorization Header to send bearer token to server over other techniques like URL encoding

问题描述

为什么授权头主要用于向服务器发送不记名令牌?为什么我们不将我们的授权令牌作为 URL 参数发送或将其作为 json 负载与请求正文一起发布?

Why Authorization header is mostly used to send a bearer token to server? Why don't we send our authorization token as URL parameter or post it as json payload with the request body?

推荐答案

Headers 非常适合保存这些数据，它们独立于请求类型.

Headers are perfect to hold these data, they are independent of request type.

您可以在正文中发送授权令牌，甚至其他所有内容，例如Content-Type、Content-Length、缓存标头，但请求类型不同(POST,GET..) 可以有不同的请求正文格式.GET 使用查询参数 POST/PUT 以编码形式在正文中发送数据(使用Content-输入:application/x-www-form-urlencoded 使服务器知道传入的数据格式)，Content-Type:application/json 与正文中的 JSON、XML 和其他.多部分请求的情况会变得更加复杂(请查看 https://stackoverflow.com/a/19712083/1017363).

You could send Authorization token in body, even everything other like Content-Type, Content-Length, cache headers also but different request types (POST,GET..) could have different request body format. GET sends data using query parameters POST/PUT in encoded form in the body (with Content-Type: application/x-www-form-urlencoded to make server aware of incomming data format), Content-Type: application/json with JSON in body, XML and others. Things get more complicated on multipart requests (check this https://stackoverflow.com/a/19712083/1017363).

因此，您可以在正文或查询中看到授权令牌，这使客户端和服务器端的事情变得更加复杂.客户端应该知道如何在每个请求上适应"授权令牌，然后服务器应该知道如何读取这个值.

So as you can see authorization token in body or query makes things more complicated on client and server side. Client should know how to "fit" authorization token on every request and server should know then how to read this value.

这篇关于为什么我们更喜欢 Authorization Header 向服务器发送承载令牌而不是 URL 编码等其他技术的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！