如果我只使用 OpenID,我应该为 401 上的 WWW-Authenticate 标头传递什么?
HTTP 规范指出:
10.4.2 401 未经授权
该请求需要用户身份验证。 响应必须包含 WWW-Authenticate 标头字段(第 14.47 节)包含适用于所请求资源的质询。
如果我支持的唯一登录方案是 OpenID(或 CAS、OAuth 令牌等),我应该在此字段中输入什么? 也就是说,我如何指示客户端需要预身份验证并创建会话,而不是尝试随每个请求一起发送凭据?
在您回答“不要发送 401;发送 3xx 重定向到 OpenID 登录页面”之前,对于非 HTML 客户端呢? 例如,Stack Overflow 如何提供我的自定义软件可以与之交互的 API?
The HTTP spec states:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate
header field (section 14.47) containing a challenge applicable to the requested resource.
If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?
Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
根据 RFC2617 的
auth-scheme
可以是任何东西; 如果您确实想要 401,那么从技术上讲,您不会通过编写类似WWW-Authenticate: OpenID Realm="My Realm" location="http://my/login/ 的内容来破坏规范位置”
。 话虽如此,当你这样做时其他人的代码的行为当然是未定义的。 :-)According to RFC2617 the
auth-scheme
can be anything; if you really want a 401 you're not technically breaking spec by making something up likeWWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location"
. Having said that, behaviour of other people's code when you do that is of course undefined. :-)有一个 OAuth Discovery 规范,它将指示要放入 WWW-Authenticate 标头中的内容 - 如果如果没有替代规范,该规范还没有过时。
There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.