我应该通过对401S WWW身份验证标头,如果我只使用OpenID登录? [英] What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?
问题描述
HTTP规范状态:
10.4.2 401未授权
请求需要用户验证。响应必须包含一个WWW身份验证
头字段(部分14.47)含有适用于所请求的资源的一个挑战。
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
如果唯一的登录方式,我支持OpenID的是(或CAS或OAuth凭证,及放大器; C),我应该怎么把这个领域?也就是说,我怎么表明,客户端需要的 pre-身份验证的和,而不是创建一个会话尝试与每个请求一起发送凭据?
If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?
在你回答之前,不发送401;发送3XX重定向到OpenID的登录页面,非HTML客户怎么样?怎么样,比如,将堆栈溢出做我的定制软件可以与交互的API?
Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?
推荐答案
根据 RFC2617 的 AUTH-方案
可以是任何东西;如果你真的想要一个401你不是的技术上的通过一些像 WWW验证打破规格:OpenID的境界=我的王国位置=HTTP://我/登录/位置
。话虽如此,当你这样做别人的code的行为当然是不确定的。 : - )
According to RFC2617 the auth-scheme
can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location"
. Having said that, behaviour of other people's code when you do that is of course undefined. :-)
这篇关于我应该通过对401S WWW身份验证标头,如果我只使用OpenID登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!