Specify OAuth token in GET URL

匆匆过客 提交于 2021-01-27 07:11:43

问题


My REST service uses OAuth 2.0 authentication. I want to test some GET URLs using the browser (without using a client). Can I pass the bearer token in the URL ? URL : www.example.com/employee/employeeId


回答1:


You can pass it in the access_token query parameter, see https://tools.ietf.org/html/rfc6750#section-2.3, but as noted in the other answer, it is not the preferred way of passing a token. It may end up in logs, browser cache etc. On this method the spec says:

Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body. Resource servers MAY support this method.

This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].

So you should also be aware that the Resource Server (or API) may not even support this method of token passing. The only method that is mandatory to implement is the Authorization header method.




回答2:


You most certainly can.

Ses facebook graph API. But be aware that it is not recommended since users may sent these urls as email or messages. Oauth 2.0 spec writes about it.



来源:https://stackoverflow.com/questions/29926041/specify-oauth-token-in-get-url

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!