自定义HTTP认证头 [英] Custom HTTP Authorization Header
问题描述
我在想,如果这是可以接受把自定义数据在HTTP授权头。我们正在设计一个RESTful API和我们可能需要一种方法来指定授权的自定义方法。作为一个例子,我们称之为 FIRE-TOKEN 认证。
I was wondering if it's acceptable to put custom data in an HTTP authorization header. We're designing a RESTful API and we may need a way to specify a custom method of authorization. As an example, let's call it FIRE-TOKEN authentication.
请问这样的事情是有效的,并允许根据该规范:授权:FIRE-TOKEN 0PN5J17HBGZHT7JJ3X82:// frJIUN8DYpKDtOLCwo = yllqDzg
Would something like this be valid and allowed according to the spec: Authorization: FIRE-TOKEN 0PN5J17HBGZHT7JJ3X82:frJIUN8DYpKDtOLCwo//yllqDzg=
第二串的第一部分(前:)。是API密钥,第二部分是查询字符串的哈希
The first part of the second string (before the ':') is the API key, the second part is a hash of query string.
推荐答案
在 RFC2617 是定义的格式凭证= AUTH-方案#AUTH-参数。所以,在与fumanchu同意,我想更正授权方案会是什么样子
The format defined in RFC2617 is credentials = auth-scheme #auth-param. So, in agreeing with fumanchu, I think the corrected authorization scheme would look like
Authorization: FIRE-TOKEN apikey="0PN5J17HBGZHT7JJ3X82", hash="frJIUN8DYpKDtOLCwo//yllqDzg="
其中, FIRE-TOKEN 是方案和两个键 - 值对是AUTH参数。虽然我相信引号是可选的(从P7-AUTH-19 Apendix B)...
Where FIRE-TOKEN is the scheme and the two key-value pairs are the auth parameters. Though I believe the quotes are optional (from Apendix B of p7-auth-19)...
auth-param = token BWS "=" BWS ( token / quoted-string )
我相信这符合最新的标准,已在使用中(见下文),并提供了一个键 - 值格式简单的扩展,(如果你需要额外的参数)。
I believe this fits the latest standards, is already in use (see below), and provides a key-value format for simple extension (if you need additional parameters).
这AUTH-参数语法的一些例子可以在这里看到...
Some examples of this auth-param syntax can be seen here...
<一个href=\"http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-4.4\">http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-4.4
<一个href=\"https://developers.google.com/youtube/2.0/developers_guide_protocol_clientlogin\">https://developers.google.com/youtube/2.0/developers_guide_protocol_clientlogin
<一个href=\"https://developers.google.com/accounts/docs/AuthSub#WorkingAuthSub\">https://developers.google.com/accounts/docs/AuthSub#WorkingAuthSub
这篇关于自定义HTTP认证头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
