将域作为参数添加到 HTTP 基本身份验证
Adding domain as parameter to HTTP basic authentication
我正在编写一个带有 HTTP 基本身份验证的 REST API,但在某些情况下,用户名和密码不足以让我的服务器对用户进行身份验证,我需要一个域名作为另一个参数来对用户进行身份验证。
为什么?因为我的服务器根据某些第三方服务对用户进行身份验证,这些服务可能需要用户名、密码和域作为凭据数据。
如何向基本身份验证数据添加另一个参数?允许吗?
如果标准 HTTP header 不符合您的需要,您可以创建自定义 HTTP header。
但是,所有身份验证数据都应在标准 HTTP 中发送 Authorization header. From the RFC 7235:
4.2. Authorization
The Authorization header field allows a user agent to authenticate
itself with an origin server -- usually, but not necessarily, after
receiving a 401 (Unauthorized) response. Its value consists of
credentials containing the authentication information of the user
agent for the realm of the resource being requested. [...]
请注意,此 HTTP header 的名称很不幸,因为它携带 authentication 信息而不是 authorization。
关于HTTP基本认证方案,RFC 7617定义如下:
2. The 'Basic' Authentication Scheme
The Basic authentication scheme is based on the model that the client
needs to authenticate itself with a user-id and a password for each
protection space ("realm"). [...] The server will service the request only if it can validate
the user-id and password for the protection space applying to the
requested resource.
[...]
To receive authorization, the client
obtains the user-id and password from the user,
constructs the user-pass by concatenating the user-id, a single
colon (":") character, and the password,
encodes the user-pass into an octet sequence,
and obtains the basic-credentials by encoding this octet sequence
using Base64 into a sequence of US-ASCII
characters.
[...]
If the user agent wishes to send the user-id "Aladdin" and password
"open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
[...]
RFC 7617 没有说明在基本身份验证中使用域的任何内容。
但是假设 user-id 由域名和用户名组成,使用 @ 分隔两者似乎完全有效,如下所示:
user-id = username + @ + domain
我正在编写一个带有 HTTP 基本身份验证的 REST API,但在某些情况下,用户名和密码不足以让我的服务器对用户进行身份验证,我需要一个域名作为另一个参数来对用户进行身份验证。
为什么?因为我的服务器根据某些第三方服务对用户进行身份验证,这些服务可能需要用户名、密码和域作为凭据数据。
如何向基本身份验证数据添加另一个参数?允许吗?
如果标准 HTTP header 不符合您的需要,您可以创建自定义 HTTP header。
但是,所有身份验证数据都应在标准 HTTP 中发送 Authorization header. From the RFC 7235:
4.2. Authorization
The
Authorizationheader field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a401(Unauthorized) response. Its value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested. [...]
请注意,此 HTTP header 的名称很不幸,因为它携带 authentication 信息而不是 authorization。
关于HTTP基本认证方案,RFC 7617定义如下:
2. The 'Basic' Authentication Scheme
The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). [...] The server will service the request only if it can validate the user-id and password for the protection space applying to the requested resource.
[...]
To receive authorization, the client
obtains the user-id and password from the user,
constructs the user-pass by concatenating the user-id, a single colon (":") character, and the password,
encodes the user-pass into an octet sequence,
and obtains the basic-credentials by encoding this octet sequence using Base64 into a sequence of US-ASCII characters.
[...]
If the user agent wishes to send the user-id "Aladdin" and password "open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==[...]
RFC 7617 没有说明在基本身份验证中使用域的任何内容。
但是假设 user-id 由域名和用户名组成,使用 @ 分隔两者似乎完全有效,如下所示:
user-id = username + @ + domain