我正在构建一个具有两个方面的应用程序:客户端(iPhone)和服务器(PHP)。使用 https 进行通信。手机获得 4SQ 访问令牌。然后,它将该令牌发送到服务器,服务器将使用它进行 4SQ API 调用。我的问题是关于如何发送这个令牌。
我的想法是将令牌包含在 HTTP 身份验证请求的标头中,但是在阅读了基本/摘要身份验证之后,我怀疑这不是这样做的方式。实际上,对 4SQ API 的调用是使用请求参数完成的
oauth_token=ACCESS_TOKEN
而不是将令牌放在身份验证标头或任何其他地方。我确信这是有充分理由的,但我找不到。
那么,哪个选项是最好的呢?
非常感谢,并致以最诚挚的问候
I think the most secure and reasonable way would be a HTTPS POST. When the token is part of the query string in a HTTPS request, it is also encrypted. But it will appear clear text in the server log, or, when a browser is used, it could also appear in the browser history. Depending on the HTTP helper library, it could also log the HTTPS URL, when, for example, a request fails.
In my eyes, sending the token in the Authentication header would be strange, since it is not used for authentication between the server and the client.