在过期的密码上返回的好的http状态代码是什么?
当密码过期时,应该返回其他api吗?我的意思是:用户名和密码是正确的,但已过期。
When a password is expired what rest api should return? I mean: username and password are correct, but expired.
这里我发现
到期或撤销凭证的机制可以是
指定为身份验证方案定义的一部分。
The mechanisms for expiring or revoking credentials can be specified as part of an authentication scheme definition.
是否有关于过期凭据的正确和/或正确http状态代码的规范?是否可以使用凭证到期处理http状态代码?
Is there a specification about what's the right and/or correct http status code for expired credentials? Is http status code good to handle with credentials expiration?
过期的密码是服务器不得接受密码和 。
因此,如果您正在使用HTTP身份验证(在 授权 标题) ,您可以使用 401 具有描述性有效负载。
So if you are using HTTP authentication (sending credentials in the Authorization header), you can use 401 with a descriptive payload.
以下是来自 RFC 7235 ,HTTP / 1.1中的身份验证参考:
Here are some quotes from the RFC 7235, the reference for authentication in HTTP/1.1:
授权标头字段允许用户代理验证
本身与原始服务器 - 通常,但不一定,在
收到 401 (未授权)响应之后。它的值包含
凭证,其中包含所请求资源领域的用户
代理的身份验证信息。
The Authorization header field allows a user agent to authenticate
itself with an origin server -- usually, but not necessarily, after
receiving a 401 (Unauthorized) response. Its value consists of
credentials containing the authentication information of the user
agent for the realm of the resource being requested.
Authorization = credentials
[...]
401 (未经授权)状态代码表示请求已包含没有应用
,因为它缺少目标资源
的有效身份验证凭据。生成401响应的服务器必须发送
a WWW-Authenticate 标头字段,其中包含至少一个适用于目标资源的
质询。
The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field containing at least one
challenge applicable to the target resource.
如果请求包含身份验证凭据,则 401
响应表示已拒绝授权这些
证书。 [...]
If the request included authentication credentials, then the 401
response indicates that authorization has been refused for those
credentials. [...]