如果我只使用 OpenID,我应该为 401 上的 WWW-Authenticate 标头传递什么? [英] What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?
问题描述
HTTP 规范指出:
10.4.2 401 未经授权
请求需要用户身份验证.响应必须包含一个 WWW-Authenticate包含适用于所请求资源的质询的标头字段(第 14.47 节).
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
如果我支持的唯一登录方案是 OpenID(或 CAS、或 OAuth 令牌等),我应该在此字段中输入什么?也就是说,我如何指示客户端需要预验证并创建会话,而不是尝试随每个请求一起发送凭据?
If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?
在您回答不要发送 401;发送 3xx 重定向到 OpenID 登录页面"之前,对于非 HTML 客户端怎么办?例如,Stack Overflow 将如何实现我的自定义软件可以与之交互的 API?
Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?
推荐答案
根据RFC2617 auth-scheme
可以是任何东西;如果你真的想要一个 401,你并没有技术上通过制作类似 WWW-Authenticate: OpenID realm=My Realm"之类的东西来破坏规范.位置=http://my/login/location"
.话虽如此,当你这样做时其他人的代码的行为当然是未定义的.:-)
According to RFC2617 the auth-scheme
can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location"
. Having said that, behaviour of other people's code when you do that is of course undefined. :-)
这篇关于如果我只使用 OpenID,我应该为 401 上的 WWW-Authenticate 标头传递什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!