简体繁体 English

授权标头中不属于用户的令牌的HTTP状态代码

[英]HTTP status code for token in the Authorization header that doesn't belong to the user

原文 2019-01-10 07:00:52 6 2 java/ http/ authorization/ http-status-codes

Can you recommend which HTTP status code is suitable to be returned when a user tries to use another users token? 您可以推荐一个用户尝试使用另一个用户令牌时适合返回的HTTP状态代码吗？ 401 or 400 ? 401或400 ？

2 个解决方案

HTTP 403 Forbidden The server understood the request but refuses to authorize it. HTTP 403 禁止 服务器理解了请求，但拒绝授权。 is better for your situation. 更适合您的情况。

403 would be the most appropriate response code. 403是最合适的响应代码。 Here's the complete description from RFC 7231 . 这是RFC 7231的完整描述。

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. 403（禁止）状态码表示服务器理解了请求，但拒绝授权。 A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any). 希望公开为什么禁止请求的服务器可以在响应有效负载（如果有）中描述该原因。

If authentication credentials were provided in the request, the server considers them insufficient to grant access. 如果请求中提供了身份验证凭据，则服务器认为它们不足以授予访问权限。 The client SHOULD NOT automatically repeat the request with the same credentials. 客户端不应该自动使用相同的凭据重复请求。 The client MAY repeat the request with new or different credentials. 客户端可以用新的或不同的证书重复请求。 However, a request might be forbidden for reasons unrelated to the credentials. 但是，出于与凭据无关的原因，可能会禁止请求。

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found). 希望“隐藏”当前存在的禁止目标资源的原始服务器可以使用状态代码404（未找到）进行响应。

The 2nd paragraph applies to your scenario. 第二段适用于您的方案。 The client / user has supplied someone else's credentials, and server considers them "insufficient". 客户端/用户提供了其他人的凭据，服务器认为它们“不足”。