[英]Why Doesn't my Authorization Header need "Bearer"?
I am currently working with a group of applications that are running on two separate, but equivalent, environments (Referred to as ENV1
and ENV2
).我目前正在处理一组在两个独立但等效的环境(称为
ENV1
和ENV2
)上运行的应用程序。 I have been using OAuth 2.0 for Authorization and when I receive a response after requesting an access token from the OAuth service (I am making my requests through Postman) I get a response that looks like this from ENV1
and ENV2
:我一直在使用 OAuth 2.0 进行授权,当我在从 OAuth 服务请求访问令牌后收到响应时(我通过 Postman 发出请求),我从
ENV1
和ENV2
收到如下所示的响应:
As far as I am aware, I believe that this "token_type": "Bearer"
means that when I send in the access_token
to my application I need to do so like this:据我所知,我相信这个
"token_type": "Bearer"
意味着当我将access_token
发送到我的应用程序时,我需要这样做:
By sending in the token through the Authorization
header, prefixed with "Bearer".通过
Authorization
header 发送令牌,前缀为“Bearer”。 This approach works fine on ENV1
but on ENV2
the request fails unless I send in the token alone with no "Bearer" prefix:这种方法在
ENV1
上运行良好,但在ENV2
上请求失败,除非我单独发送没有“Bearer”前缀的令牌:
If I send in the Authorization
header with the "Bearer" prefix, I get a 401 Unauthorized
error as the response.如果我发送带有“Bearer”前缀的
Authorization
header,我会收到401 Unauthorized
错误作为响应。 This is the help tip that Postman provides(Emphasis mine):这是Postman提供的帮助提示(强调我的):
Similar to 403 Forbidden, but specifically for use when authentication is possible but has failed or not yet been provided.
类似于 403 Forbidden,但专门用于身份验证可能但失败或尚未提供的情况。 The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource.
响应必须包括 WWW-Authenticate header 字段,其中包含适用于所请求资源的质询。
The problem here is that there IS a WWW-Authenticate
header field, and it contains "Bearer", which I would assume is a "challenge applicable to the requested resource" seeing as the token response contained "token_type": "Bearer"
:这里的问题是有一个
WWW-Authenticate
header字段,它包含“Bearer”,我认为这是一个“适用于所请求资源的挑战”,因为令牌响应包含"token_type": "Bearer"
:
From your description, it seems that the environments are not actually identical.根据您的描述,似乎环境实际上并不相同。 Eg maybe ENV2 is behind a gateway that adds the
Bearer
prefix to the header. Or the API on ENV2 (or the gateway) is configured to read the header without the prefix.例如,ENV2 可能位于将
Bearer
前缀添加到 header 的网关后面。或者 ENV2(或网关)上的 API 配置为读取没有前缀的 header。
When the OAuth Server returns the access token, it gives you the type - a bearer
token.当 OAuth 服务器返回访问令牌时,它会为您提供类型 -
bearer
令牌。 That type means, that the token is just this - a bearer token - as opposed to a Proof-of-Possession token.该类型意味着,令牌就是这个 - 不记名令牌 - 而不是所有权证明令牌。 When you send a bearer token to an API, you don't have to provide any additional information that would prove that you are the owner of the token.
当您将不记名令牌发送到 API 时,您无需提供任何其他信息来证明您是令牌的所有者。 (you can compare bearer with the DPoP standard)
(你可以将 bearer 与DPoP标准进行比较)
The Bearer Token Usage standard does require you to use the prefix Bearer
in the authorization header (as you pointed out), but it doesn't mean that all the APIs and gateways implement that standard correctly, or that they use that standard at all. Bearer Token Usage 标准确实要求您在授权 header 中使用前缀
Bearer
(正如您所指出的),但这并不意味着所有 API 和网关都正确地实现了该标准,或者它们根本不使用该标准。
To summarize:总结一下:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.