HTTP“授权”标头的多种身份验证方案 [英] Multiple authentication schemes for HTTP 'Authorization' Header
问题描述
对于我们的api用户,我们需要两种身份验证:
For our api user we need two styles of authentication:
- 验证api-user(移动设备,合作伙伴集成)
- 验证特定的普通用户,该用户拥有我们这边的数据
标准挑战vs响应通过 WWW-Authenticate
和授权
标题处理。我想重用它。
The standard challenge vs. response is handled through WWW-Authenticate
and Authorization
Headers. I want to reuse this.
我有以下用例:在第一级我们验证api用户(例如移动设备),对于一些api-actions我们也需要验证用户(例如移动设备的用户)。所以我们有一个特殊情况,我们需要同时两个身份验证方案。
I have following use-case: On first level we authenticate the api-user (e.g. mobile device), for some api-actions we also need to authenticate a user (e.g. user of mobile device). So we have a special case where we need two authentications schemes "at once".
查看 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html 我看不到在一个'授权中有两个不同的方案'标题是可能的。
Looking at http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html I cannot see that having two different schemes inside one 'Authorization' Header is possible.
// I just made up delimiter ';'
Authorization: Digest .... ; CustomXXX ...
我是否正确,若有可能还有其他选择?
Am I correct, if so is there an alternative?
推荐答案
不,授权只能获取一套凭证。
No, Authorization can only take one set of credentials.
这篇关于HTTP“授权”标头的多种身份验证方案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!