自定义 Authorization HTTP 标头 [英] Customize the Authorization HTTP header
问题描述
当客户端向 API 发送请求时,我需要对其进行身份验证.客户端有一个 API 令牌,我正在考虑使用标准 Authorization 标头将令牌发送到服务器.
I need to authenticate a client when he sends a request to an API. The client has an API-token and I was thinking about using the standard Authorization header for sending the token to the server.
通常此标头用于 Basic 和 Digest 身份验证.但我不知道是否允许我自定义此标头的值并使用自定义身份验证方案,例如:
Normally this header is used for Basic and Digest authentication. But I don't know if I'm allowed to customize the value of this header and use a custom authentication scheme, e.g:
Authorization: Token 1af538baa9045a84c0e889f672baf83ff24
你会推荐这个吗?或者有没有更好的方法来发送令牌?
Would you recommend this or not? Or is there a better approach for sending the token?
推荐答案
您可以创建自己的自定义身份验证模式,使用 Authorization: 标头 - 例如,OAuth 有效.
You can create your own custom auth schemas that use the Authorization: header - for example, this is how OAuth works.
作为一般规则,如果服务器或代理不理解标准标头的值,它们将不理会它们并忽略它们.它正在创建您自己的标题 keys,这通常会产生意想不到的结果 - 许多代理会删除带有他们无法识别的名称的标题.
As a general rule, if servers or proxies don't understand the values of standard headers, they will leave them alone and ignore them. It is creating your own header keys that can often produce unexpected results - many proxies will strip headers with names they don't recognise.
话虽如此,使用 cookie 来传输令牌可能更好,而不是 Authorization: 标头,原因很简单,cookie 被明确设计为携带自定义值,而HTTP 的内置身份验证方法的规范并没有真正说明任何一种方式 - 如果您想确切了解它所说的内容,看看这里.
Having said that, it is possibly a better idea to use cookies to transmit the token, rather than the Authorization: header, for the simple reason that cookies were explicitly designed to carry custom values, whereas the specification for HTTP's built in auth methods does not really say either way - if you want to see exactly what it does say, have a look here.
关于这一点的另一点是,许多 HTTP 客户端库都内置了对 Digest 和 Basic auth 的支持,但在尝试在标头字段中设置原始值时可能会使生活变得更加困难,而它们都将为cookie,并且将在其中允许或多或少的任何值.
The other point about this is that many HTTP client libraries have built-in support for Digest and Basic auth but may make life more difficult when trying to set a raw value in the header field, whereas they will all provide easy support for cookies and will allow more or less any value within them.
这篇关于自定义 Authorization HTTP 标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
