我的 REST 服务使用 OAuth 2.0 身份验证。我想使用浏览器(不使用客户端)测试一些 GET URL。我可以在 URL 中传递不记名 token 吗?
网址:www.example.com/employee/employeeId
最佳答案
您可以在 access_token
中传递它查询参数,见https://www.rfc-editor.org/rfc/rfc6750#section-2.3 ,但正如另一个答案中所述,它不是传递 token 的首选方式。它可能最终出现在日志、浏览器缓存等中。在这个方法中,规范说:
Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body. Resource servers MAY support this method.This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].
因此,您还应该意识到资源服务器(或 API)甚至可能不支持这种 token 传递方法。唯一必须实现的方法是 Authorization 头方法。
关于rest - 在 GET URL 中指定 OAuth token ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29926041/