多个 HTTP 授权标头? [英] Multiple HTTP Authorization headers?
问题描述
是否可以在 HTTP 消息中包含多个授权标头?具体来说,我想包含一种不记名令牌类型(传递 OAuth 访问令牌)和一种基本类型(传递 base64 编码的用户名:密码).
Is it possible to include multiple Authorization Headers in an HTTP message? Specifically, I would like to include one of Bearer token type (passing an OAuth access token) and one of Basic type (passing a base64 encoded username:password).
GET /presence/alice HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM
Authorization: Basic YXNkZnNhZGZzYWRmOlZLdDVOMVhk
我认为没有理由这不可行,只是想与社区一起审查以确保.
I see no reason this should not be possible, just wanted to vet it with the community to be sure.
推荐答案
**** 2021 年 2 月更新 *** 请阅读对此回复的评论.他们的一般结论似乎是一些网络服务器接受多种授权方案,但它违反了 RFC 7230/7235 ****
**** UPDATE Feb 2021 *** Please read the comments to this response. Their general conclusion seems to be that some web servers accept multiple Authorization schemes, but that it goes against RFC 7230/7235 ****
这应该是可能的,你只需要在字段值之间添加一个逗号,例如:
This should be possible, you just have to add a comma between field values, e.g:
GET /presence/alice HTTP/1.1
Host: server.example.com
Authorization: Bearer mF_9.B5f-4.1JqM, Basic YXNkZnNhZGZzYWRmOlZLdDVOMVhk
这在 RFC7230 第 3.2 节中定义.2、字段顺序:
This is defined in RFC7230, section 3.2.2, Field Order:
发送方不得在消息中生成多个具有相同字段名称的头字段,除非该头字段的整个字段值被定义为逗号分隔列表 [即,#(values)] 或头字段是一个众所周知的异常(如下所述).
A sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list [i.e., #(values)] or the header field is a well-known exception (as noted below).
收件人可以将多个具有相同字段名称的头字段组合成一个字段名称:字段值";对,在不改变消息语义的情况下,通过将每个后续字段值按顺序附加到组合字段值,用逗号分隔.因此,接收具有相同字段名称的头字段的顺序对于组合字段值的解释很重要;转发消息时,代理不得更改这些字段值的顺序.
A recipient MAY combine multiple header fields with the same field name into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field value to the combined field value in order, separated by a comma. The order in which header fields with the same field name are received is therefore significant to the interpretation of the combined field value; a proxy MUST NOT change the order of these field values when forwarding a message.
我不知道是否所有网络服务器都接受这一点 - 在撰写本文时,我正与一位同事争论它是否应该工作.
I don't know whether all web servers accept this - at the time of writing I'm in the middle of a debate with a colleague about whether it should work or not.
这篇关于多个 HTTP 授权标头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
