更新时间:2023-12-06 09:36:16
基本身份验证不是为保护Web API的一个很好的协议,我试着在我的答案的这里和这里。
Basic authentication is not a good protocol for securing web APIs as I tried to explain in my answers here and here.
这没关系,以支持它的东西像自动化测试等,但我不会在生产中使用它。你将有一个很难保持的密码保密既不的JavaScript也不移动客户端可以信任保守秘密。
It's okay to support it for things like test automation etc, but I would not use it in production. You will have a hard time keeping the password secret as neither JavaScript nor mobile clients can be trusted to keep secrets.
这我不清楚为什么电子邮件地址不跨组织的唯一。你是不是以后发送部分at符号(@)?
It's not clear to me why email addresses are not unique across organizations. Are you not sending the part after the at-sign ('@')?
您不能在基本的身份验证凭据领域引入另一个领域。据 RFC7235 ,证书字段只能包含:
You cannot introduce another field in the basic authentication credentials field. According to RFC7235, the credentials field can only contain:
credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
我要寻找到一个安全令牌基于身份验证方案如使用 JWT令牌。