如何在不传递用户名和传递url参数的情况下获取令牌?
[英]How to get token without passing username and pass in url parameters?
问题描述
In order to get token i post following request: 
为了获得令牌,我发布了以下请求:
http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD and in response i get token - that's nice, but... what if i don't want to show username and login in requested URL, even a single time. http://example.com/wordpress/wp-json/jwt-auth/v1/token?username=MYLOGIN&password=MYPASSWORD ,作为回应,我得到了令牌-很好,但是...如果我不想显示怎么办用户名和登录请求的URL,甚至一次。
Everyone who can see my computer requests can catch my login and password easily. 可以看到我的计算机请求的每个人都可以轻松捕获我的登录名和密码。 Can I somehow hide this sensitive data in request headers instead of url parameters? 我可以以某种方式在请求标头而不是url参数中隐藏此敏感数据吗? I'm using "Chrome Insomnia" App to test REST api and next to PARAMS and HEADERS there is an AUTH tab where i can type username and password - maybe that is the place i could use to send user data to get access token without beeing seen easily? 我正在使用“ Chrome Insomnia”应用程序来测试REST api,并且在PARAMS和HEADERS旁边有一个AUTH选项卡,我可以在其中输入用户名和密码-也许这是我可以用来发送用户数据以获取访问令牌而不会冒犯的地方容易看到?
I tried to login using AUTH tab, but in response: 我尝试使用AUTH选项卡登录,但作为响应:
{
"code": "jwt_auth_bad_auth_header",
"message": "Authorization header malformed.",
"data": {
"status": 403
}
}
Please don't send me back to wp-api documentaion because i couldn't find a clear answer by reading the docs there. 请不要让我回到wp-api documentaion,因为我无法通过阅读那里的文档来找到明确的答案。
3 个解决方案
解决方案1
1 2016-06-05 11:21:35
Use OAuth . 使用OAuth 。
It is a secure way to authorize yourself on a REST-Api without having to send your username and password as plain text. 这是在REST-Api上授权自己的安全方法,而不必以纯文本形式发送用户名和密码。
The WP-API documentation has a section called OAuth Authentication . WP-API文档有一个名为OAuth Authentication的部分。 The API uses OAuth 1.0 . 该API使用OAuth 1.0 。 Basically you have to install the OAuth-Plugin, then generate a Client which automatically gets a Key and a Secret assigned. 基本上,您必须安装OAuth-Plugin,然后生成一个客户端 ,该客户端会自动获取分配的密钥和机密 。 You can use this pair for a secure authentification. 您可以将此对用于安全验证。
You can find more detailed information in the link I gave above, it is fairly simple to implement. 您可以在我上面给出的链接中找到更多详细信息,实现起来非常简单。
解决方案2
1 2016-08-24 00:23:51
To answer your original question on how you can keep people from seeing your passwords in Insomnia, it is recommended that you put sensitive data in an environment variable and reference it in your request. 要回答有关如何使人们免于失眠中的密码的原始问题,建议您将敏感数据放在环境变量中,并在请求中引用它。
You can define your environment JSON like this... 您可以像这样定义您的环境JSON ...
{
"username": "MyUsername",
"password": "MyPassword"
}
And reference them in the params tab (or anywhere else) using Nunjucks template syntax like {{ username }} and {{ password }} . 并使用诸如{{ username }}和{{ password }}类的Nunjucks模板语法在params选项卡(或其他任何位置)中引用它们。
Here's a link to the docs on Environment Variables inside Insomnia. 这是有关失眠中环境变量的文档的链接。
~ Gregory 〜格雷戈里
解决方案3
0 已采纳 2016-06-05 12:18:52
Although I agree OAuth (Really OpenID Connect) is a better solution, USE HTTPS. 尽管我同意OAuth(真正的OpenID Connect)是更好的解决方案,但还是请使用HTTPS。
Since the SSL/TLS is performed before you make the request, it will be encrypted over the network. 由于SSL / TLS是在发出请求之前执行的,因此将通过网络对其进行加密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.