api
auth_error
ai_generated
true
401 未授权:授权标头缺少 'Bearer' 前缀
401 Unauthorized: Authorization header missing 'Bearer' prefix
ID: api/oauth2-authorization-header-missing-bearer
90%修复率
85%置信度
1证据数
2023-03-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| OAuth 2.0 (RFC 6750) | active | — | — | — |
| OpenID Connect 1.0 | active | — | — | — |
| Spring Security 6.0+ | active | — | — | — |
| ASP.NET Core 7+ | active | — | — | — |
根因分析
客户端在授权标头中发送了令牌,但未包含必需的 'Bearer ' 方案前缀,导致服务器拒绝请求。
English
Client sent a token in the Authorization header without the required 'Bearer ' scheme prefix, causing the server to reject the request.
官方文档
https://datatracker.ietf.org/doc/html/rfc6750#section-2.1解决方案
-
Ensure the Authorization header value starts with 'Bearer ' followed by the token. Example in curl: curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' https://api.example.com/resource
-
If using a client library, check the configuration to ensure it automatically adds the 'Bearer' prefix. For example, in requests library: headers={'Authorization': f'Bearer {token}'} -
Log the raw Authorization header value on the client side to verify the prefix is present before sending.
无效尝试
常见但无效的做法:
-
30% 失败
The token itself is already base64-encoded and does not require additional encoding; URL encoding may corrupt the token.
-
50% 失败
The server strictly checks for the exact 'Bearer ' string; missing it still results in a 401.
-
70% 失败
Most modern OAuth 2.0 servers only recognize 'Bearer'; using 'Token' leads to rejection.