是否可以对 websocket 升级请求使用承载身份验证? [英] Is it possible to use bearer authentication for websocket upgrade requests?

问题描述

打开websocket连接的升级请求是标准的HTTP请求.在服务器端，我可以像其他任何人一样验证请求.就我而言，我想使用承载身份验证.不幸的是，在浏览器中打开 websocket 连接时无法指定 headers，这会让我相信不可能使用承载身份验证来验证 web socket升级请求.所以——我是不是遗漏了什么，还是真的不可能?如果不可能，这是设计使然，还是浏览器实现 websocket API 的明显疏忽?

The upgrade request for opening a websocket connection is a standard HTTP request. On the server side, I can authenticate the request like any other. In my case, I would like to use Bearer authentication. Unfortunately, there is no way to specify headers when opening a websocket connection in the browser, which would lead me to believe that it's impossible to use bearer authentication to authenticate a web socket upgrade request. So -- Am I missing something, or is it really impossible? If it is impossible, is this by design, or is this a blatant oversight in the browser implementation of the websocket API?

推荐答案

你说得对，由于 Javascript WebSocket API 的设计，目前无法使用 Authentication header.可以在此线程中找到更多信息:Websockets 客户端 API 中的 HTTP 标头

You are right, it is impossible for now to use Authentication header, because of the design of Javascript WebSocket API. More information can be found in this thread: HTTP headers in Websockets client API

但是，Bearer 身份验证类型允许名为access_token"的请求参数:http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param该方法兼容websocket连接.

However, Bearer authentication type allows a request parameter named "access_token": http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html#query-param This method is compatible with websocket connection.

这篇关于是否可以对 websocket 升级请求使用承载身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！