php – 如何正确使用Bearer令牌?
作者:互联网
我正在用PHP创建一个授权系统,我遇到了传递JWT令牌的Bearer方案,我读了RFC 6750.我有以下疑问:
>这是如何改善安全性的?
>成功授权和登录后,服务器在客户端使用JWT令牌响应客户端,现在当客户端发出另一个请求时,我不清楚如何实际执行此操作,我想在客户端的Authorization头中发送令牌请求,所以现在我应该只将“Bearer”作为我在服务器上一个响应中收到的令牌前缀,如果是,则服务器在接收Authorization标头时,应该只用空格分割字符串,然后取第二个值从获得的数组然后解码吗?例如Authorization:Bearer fdbghfbfgbjhg_something,服务器应该如何处理这个,decodeFunc(explode(“”,$this-> getRequest() – > getHeader(“Authorization”))[1])?
解决方法:
1.提高安全性,因为如果在url中发送的标头中没有发送令牌,它将被网络系统记录,服务器日志….
2.获得Bearer令牌的良好功能
/**
* Get header Authorization
* */
function getAuthorizationHeader(){
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]);
}
else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
//print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* get access token from header
* */
function getBearerToken() {
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return null;
}
标签:bearer-token,php,authentication,oauth,http-headers 来源: https://codeday.me/bug/20190930/1834861.html