已验证但未授权的 HTTP 状态代码?
HTTP Status Code for Authenticated but Unauthorized?
如果请求已通过身份验证(根据 The OAuth 2.0 Authorization Framework: Bearer Token Usage: Authorization Request Header Field)但经过身份验证的用户无权查看所请求的资源,REST API 应使用哪个 HTTP 状态代码响应?
例如,假设我请求查看某个用户的个人资料:GET /users/123。我验证成功,但该用户已阻止我。服务器应使用哪个 HTTP 状态代码响应?
相关:
- Authentication versus Authorization
您需要的代码是403 Forbidden:
来自wikipedia:
A 403 response generally indicates one of two conditions:
- Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
- The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been
disabled.
如果请求已通过身份验证(根据 The OAuth 2.0 Authorization Framework: Bearer Token Usage: Authorization Request Header Field)但经过身份验证的用户无权查看所请求的资源,REST API 应使用哪个 HTTP 状态代码响应?
例如,假设我请求查看某个用户的个人资料:GET /users/123。我验证成功,但该用户已阻止我。服务器应使用哪个 HTTP 状态代码响应?
相关:
- Authentication versus Authorization
您需要的代码是403 Forbidden:
来自wikipedia:
A 403 response generally indicates one of two conditions:
- Authentication was provided, but the authenticated user is not permitted to perform the requested operation.
- The operation is forbidden to all users. For example, requests for a directory listing return code 403 when directory listing has been disabled.