User Authorization Header

Question

I know that there is enough content for this question, but my question is not the same as the others. (His own, but not equal)

I want to hear the community’s thoughts about what I’m doing and see if I can improve somewhere or not.

I am currently using BASIC Authorization to log into EndPoint, as it is simple and has more https, so it’s great like that.

Example:

GET - / api / login
Authorization: Basic BASE64String (username: password)

Some of my endpoints require tokens to access the resource. These tokens I am sending headers and https-secured headers.

The fact is that I do not use the usual method of exercising these powers. Below are some examples:

Example 1:

GET - / api / hardware / {PUBLIC_TOKEN} / getMe
-: PRIVATE_TOKEN

EndPoint Authorization-Hardware Header, , API- . ( )

2:

GET -/api/login/{id}
Authorization-Person: USER_TOKEN

EndPoint , User Token . ( , , , )

API HTTPS.

, , , . , foccus .

: ? - ( ?).

, .

, . , API . , .

EDIT: 26/03/2017

, , , , , .

, :

Authorization: <type> <value>

:

GET -/api/login/{id}
: USER_TOKEN

, , , String , .

. .

+4

Igor Morse 03 . '17 8:31

1

robbat2 · Accepted Answer · 2017-04-02T05:32:30+0000

TL; DR , Authorization, , ; , - .

Authorization: <type> <value>, RFC7234, , , HTTP-, .

4.2 RFC7234 :

, , - . . 3.2 [RFC7234] , HTTP-.

, , Authorization-*.

RFC7234, 3.2 , / Authorization ( ).

RFC7235, 5.1.2, 7, , , , Authorization:

, (, ), , Cache-Control (, "no-store", 5.2.1.5 [RFC7234]) (, "private").

...? , , , ,:

Authorization: MyAuth User=USER_TOKEN/Hardware=HWTOKEN/Person=PERSONTOKEN/Basic=...

, :

Authorization: User USER_TOKEN, Hardware=HWTOKEN, Person=PERSONTOKEN, Basic=...

, :

Authorization: User USER_TOKEN
Authorization: Hardware HWTOKEN
Authorization: Person PERSONTOKEN
Authorization: Basic ...

: " MAY" ( ), . , Apache NGINX , HTTP RFC .