问题
My REST service uses OAuth 2.0 authentication. I want to test some GET URLs using the browser (without using a client). Can I pass the bearer token in the URL ? URL : www.example.com/employee/employeeId
回答1:
You can pass it in the access_token query parameter, see https://tools.ietf.org/html/rfc6750#section-2.3, but as noted in the other answer, it is not the preferred way of passing a token. It may end up in logs, browser cache etc. On this method the spec says:
Because of the security weaknesses associated with the URI method
(see Section 5), including the high likelihood that the URL
containing the access token will be logged, it SHOULD NOT be used
unless it is impossible to transport the access token in the
"Authorization" request header field or the HTTP request entity-body. Resource servers MAY support this method.This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].
So you should also be aware that the Resource Server (or API) may not even support this method of token passing. The only method that is mandatory to implement is the Authorization header method.
回答2:
You most certainly can.
Ses facebook graph API. But be aware that it is not recommended since users may sent these urls as email or messages. Oauth 2.0 spec writes about it.
来源:https://stackoverflow.com/questions/29926041/specify-oauth-token-in-get-url