Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.0k views
in Technique[技术] by (71.8m points)

http - How should a client pass a facebook access token to the server?

On every call to my REST API, I require clients to pass user's facebook access token, which authenticates the user. What's best practice for passing this token?

  1. maybe as a parameter behind the HTTP question mark

    GET /api/users/123/profile?access_token=pq8pgHWX95bLZCML
    
  2. or somehow in the header of the request, similarly to HTTP basic authentication

  3. maybe a third option? (I've excluded passing it in a JSON because I want the token get passed in GET calls as well, so JSON wouldn't fit there I think)
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you'd see that they all have HTTPS endpoints.

The ways in which you can pass an access token to the provider are -

i) As Query Parameter -

https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN

ii) In the request header -

 GET /api/users/123/profile HTTP/1.1
 Host: yourwebsite.com
 Date: Tue, 14 May 2013 12:00:00 GMT
 Authorization: <YOUR_ACCESS_TOKEN>

These two are approaches that are generally supported by most APIs. You can think of doing the same.

iii) Pocket API does not use GET at all. They use POST for all their requests, even for retrieving data. Check this link to see their documentation. Notice that they use POST for retrieving data and pass JSON parameters.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...