响应的标准方法是什么,以便客户可以区分他们的令牌是否无效/已撤销或他们只是试图访问他们没有授权的某些资源?两者都用401吗?我应该使用自定义的身体吗?
答案 0 :(得分:1)
Having an invalid or revoked token is basically the same as not having a token. This is typically indicated with the HTTP 401 Unauthorized status code. It means, we cannot establish who you are. (unauthorized should really have been unauthenticated)
The HTTP 403 Forbidden response means, we know who you are (you are authenticated), but you do not have permission to access the requested resource.