RESTful API中的信令身份验证失败 [英] Signalling authentication failure in a RESTful API
问题描述
我正在编写一个小型应用程序,它公开了一个简单的REST-ish HTTP API。由于缺乏授权,我一直试图决定如何发出失败信号。
I'm writing a small application which exposes a simple REST-ish HTTP API. I'm stuck trying to decide how to signal a failure due to a lack of authorization.
该应用程序没有用于身份验证的API,而是取决于是否存在包含客户通过其他服务获得的会话令牌的cookie。该应用程序验证会话并使用通过验证过程获得的身份来执行特定于应用程序的授权。客户端无法直接向此应用程序进行身份验证。
The app does not have an API for authentication, but instead depends upon the presence of a cookie containing a session token obtained by the client via another service. The app verifies the session and uses the identity obtained through the verification process to perform app-specific authorization. There is no way for a client to authenticate directly to this app.
我的问题是,指定用于拒绝未授权请求的明显HTTP状态代码401 Unauthorized,就WWW-Authenticate标题而言。请参阅 rfc2616 sec 10.4.2 。
My problem is that the obvious HTTP status code for rejecting unauthorized requests, "401 Unauthorized", is specified in terms of the "WWW-Authenticate" header. See rfc2616 sec 10.4.2.
响应必须包含
WWW-Authenticate头字段(部分
14.47),其中包含适用于所请求资源的质询。
The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
我无法相信这是一个不寻常的问题。简单地重载401以包含更多一般用途是否常见?那些浏览器弹出auth / e对话框(顺便提一下,我在测试中没有看到,所以也许POST不会发生)?
I can't believe this is an uncommon problem. Is it common to simply overload 401 to include more general uses? What about browsers popping up auth/e dialogs (which incidentally I haven't seen in my testing, so maybe it doesn't happen for POSTs)?
底线:在这种情况下使用401是否可以,或者是否有更好的解决方案?
Bottom line: is it OK to use 401 in this context, or is there a better solution?
推荐答案
通常,你会发送401如果客户端可以验证并解决问题,但由于您没有提供在API中进行身份验证的方法,我建议您返回403错误(禁止)。这不需要标头,并将向客户端指示它无法访问该服务。
Typically, you'd send a 401 if the client can authenticate and solve the problem, but since you don't provide a way to authenticate in the API, I'd suggest returning a 403 error (forbidden) instead. This won't require the header and will indicate to the client that it is unable to access the service.
这篇关于RESTful API中的信令身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
