我正在使用PHP制作授权系统,并遇到了通过Bearer方案传递JWT令牌的问题,我阅读了[RFC 6750][1]。我有以下疑问:
Authorization:Bearer fdbghfbfgbjhg_something,服务器应该如何处理它,decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])?
[1]:https://www.rfc-editor.org/rfc/rfc67501.提高安全性,因为如果令牌未发送到头文件而是发送到URL中,则会被网络系统记录在服务器日志中....
2.获取Bearer令牌的好方法。
/**
* Get header Authorization
* */
function getAuthorizationHeader(){
$headers = null;
if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]);
}
else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} elseif (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers();
// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
//print_r($requestHeaders);
if (isset($requestHeaders['Authorization'])) {
$headers = trim($requestHeaders['Authorization']);
}
}
return $headers;
}
/**
* get access token from header
* */
function getBearerToken() {
$headers = getAuthorizationHeader();
// HEADER: Get the access token from the header
if (!empty($headers)) {
if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
return $matches[1];
}
}
return null;
}
/Bearer\s((.*)\.(.*)\.(.*))/
你可以使用 matches[1] 来访问它。
这是JWT令牌的结构,请参见:https://jwt.io/
$headers将会有类似于Bearer <space> <AuthToken>的格式,那么现在,仅仅通过空格来分割字符串并获取实际的token是正确的吗?还是应该将整个字符串(Bearer <space> <token>)作为一个整体来处理? - Ashish RanjangetAuthorizationHeader函数。认证令牌可以存储在Authorization,HTTP_AUTHORIZATION或apache_request_headers函数中,具体取决于您的服务器版本。 - Ngô Văn Thao