Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authorization in RESTful HTTP API, 401 WWW-Authenticate

I'm creating a RESTful service to provide data to a web application. I have two related questions about this.

1. How to deal with unauthorized requests?

I'm intending to respond to requests with the following codes:

  • Is the resource open and found? 200 OK
  • Do you need to be authenticated to access the resources? 401 Unauthorized
  • Don't you have access to a category of resources? 403 Forbidden
  • Do you have access to a category of resources, but not to this specific resource? 404 Not Found to prevent people from getting to know the existance of a resource they do not have access to.
  • Doesn't the resource exist? 404 Not Found

Is this a recommended way for a RESTful service to behave?

2. What WWW-Authenticate header should 401 responses supply?

I read on Wikipedia (probably not the most accurate resource, but it works for me) that a 401 response must include a WWW-Authenticate header, however upon further searching I couldn't really find any resource that stated what this value means and what it should be.

I found several SO questions and forum topics about this header and they all seem to be about OAuth, suggest against using 401 status codes or say you can just make something up.

What is the correct value this header should contain?

like image 914
Aidiakapi Avatar asked Jul 16 '13 22:07

Aidiakapi


People also ask

What is www authenticate used for?

The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.

How do I authenticate a RESTful web service?

Use of basic authentication is specified as follows: The string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.

What is www authenticate bearer?

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.


1 Answers

To answer your questions:

How to deal with unauthorized requests?

The way you described it is pretty much the recommended way for a RESTful service. As far as I can see there is absolutely nothing wrong with that.

What WWW-Authenticate header should 401 responses supply?

In general the WWW-Authenticate header tells the client what kind of authentication the server will accept. If the client makes an unauthorized request, which means he is sending a request with a missing or invalid Authorization header, the server will use WWW-Authenticate to tell the client what authentication scheme he will accept (i.e. Basic, Digest or OAuth) and for what realm.

Imagine it like some kind of identification question or challenge on the part of the server, i.e. something like "Who are you?" or "Prove who you are by providing credentials in the following way!".

For Example: WWW-Authenticate: Basic realm="My App"

Here the server tells the client that he uses an authentication scheme named Basic. The realm is nothing more than some string that identifies a protected space on the server.

like image 93
benjiman Avatar answered Sep 22 '22 08:09

benjiman