请求中的HTTP授权标头一致性 [英] HTTP Authorization header consistency in requests

问题描述

HTTP规范说;

HTTP身份验证在HTTP身份验证：
基本和摘要访问身份验证[43]中有所描述。如果请求是
身份验证并且指定了域，则相同的凭证应该对该域内的所有其他请求有效（假设认证方案本身不需要
，例如
作为凭据根据挑战值或使用
同步时钟而变化。

我真的不明白这意味着什么，但这里是我的情况，这里有什么反对HTTP规范？我使用Java Rest服务

I don't really understand what this means, but here is my scenario is there anything against HTTP specs here? I use Java Rest service

• 客户端使用 HTTP Basic
使用HTTP Authorization标头发送用户名：密码

• 服务器发回一个令牌


• 现在，客户端在HTTP授权标头中发送自定义授权令牌而不是密码以进一步请求仍然 strong>仍然使用 HTTP基本用户名：令牌

• Client sends username:password using HTTP Authorization header using HTTP Basic
• Server sends back a token
• Now client sends a custom authorization token instead of password for further requests still in the HTTP authorization header still using HTTP Basic username:token

现在这感觉不对劲我真正使用身份验证令牌做的不是实际的HTTP基本授权。请求之间使用相同的标头也不一致。

Now this does not feel right since what I am really doing with the auth token is NOT an actual HTTP Basic authorization. Also usage of the very same header is inconsistent between requests.

但另一方面，我不想为令牌交换创建另一个自定义标头。因为当您使用自定义标头时，难以使用测试工具对其进行编码。请求之间仍然存在不一致的标头。

But on the other hand I do not want create yet another custom header for the token exchange. Because its hard to base64 encode them with test tools when you use a custom header. And still inconsistent headers between requests.

注意：这些请求涉及不同的端点

Note: these requests refers to different endpoints

您有什么建议？

推荐答案

如果你这样做，既然你使用相同的标题，那么你是不是需要服务器端逻辑来区分当登录是实际登录时，而不是您的令牌？在一天结束时，HTTP授权已经是一个令牌（只是用户名/密码字符串的简单编码版本），所以在所有情况下你都收到一个令牌，现在你必须解码它，决定它是否是你的一个会话令牌，或者如果它是用户名/密码，因此请检查两个好令牌来源。

If you do that, since you are using the same headers, aren't you going to need server side logic to differentiate when the login is the actual login, as opposed to your token? At the end of the day, HTTP Authorization is already a token (only a simple encoded version of the username/password string), so in all cases you are receiving a token, now you have to decode it, decide if it's one of your session tokens, or if it's a username/password, and therefore check against two sources of "good tokens".

我会建议不要这样做，但不是因为你是打破标准，只是感到错综复杂。

I would advice against this, but not because you're breaking standards, it just feels convoluted.

为什么你需要在第一个地方更改用户名/密码到令牌？您是否重定向到不再需要HTTP Basic Auth的端点？

Why do you need to change username/password to a token on the first place? Are you redirecting to an endpoint where you no longer require HTTP Basic Auth?

这篇关于请求中的HTTP授权标头一致性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！