问题描述

我的REST服务使用OAuth 2.0身份验证.我想使用浏览器(不使用客户端)测试一些GET URL.我可以在URL中传递不记名令牌吗?网址:www.example.com/employee/employeeId

My REST service uses OAuth 2.0 authentication. I want to test some GET URLs using the browser (without using a client). Can I pass the bearer token in the URL ?URL : www.example.com/employee/employeeId

推荐答案

您可以在 access_token 查询参数中传递它，请参见 https://tools.ietf.org/html/rfc6750#section-2.3 ，但是在其他答案中指出，这不是首选方式令牌的传递.它可能最终出现在日志，浏览器缓存等中.在这种方法下，规范说:

You can pass it in the access_token query parameter, see https://tools.ietf.org/html/rfc6750#section-2.3, but as noted in the other answer, it is not the preferred way of passing a token. It may end up in logs, browser cache etc. On this method the spec says:

此方法用于记录当前使用情况；它的用途不是
建议，因为其安全性不足(请参阅第5节)，并且
也因为它使用保留的查询参数名称，即
柜台URI命名空间的最佳实践，每的点击建筑万维网，第一卷" [W3C.REC-webarch-20041215].

This method is included to document current use; its use is not
recommended, due to its security deficiencies (see Section 5) and
also because it uses a reserved query parameter name, which is
counter to URI namespace best practices, per "Architecture of the
World Wide Web, Volume One" [W3C.REC-webarch-20041215].

因此，您还应该注意，资源服务器(或API)甚至可能不支持这种令牌传递方法.唯一必须实施的方法是Authorization标头方法.

So you should also be aware that the Resource Server (or API) may not even support this method of token passing. The only method that is mandatory to implement is the Authorization header method.

这篇关于在GET URL中指定OAuth令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！