发表新帖
发表新帖

What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

后端 未结
关注
2 617
梦毁少年i
梦毁少年i 2020-12-24 11:48

The HTTP spec states:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-A

相关标签:
2条回答
  • 陌清茗
    2020-12-24 12:19

    According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)

    0 讨论(0)
  • 有刺的猬
    2020-12-24 12:34

    There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.

    0 讨论(0)
 看不清?
提交回复
热议问题