How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
You can use https://www.getpostman.com/apps to know the type of authentication. Hit the url once from this, then from the errors you will get to know the type of authentication.
You can retrieve a string property called AuthenticationType on your user's identity object: User. Identity. AuthenticationType . This should be the accepted answer, as I have several type of authentication methods enabled and working on my site.
There are two types of headers WWW-Authenticate header and Proxy Authentication header. The header syntax looks like this: WWW-Authenticate: <type> realm=<realm>
When you send an unauthenticated request the service has to respond with a "HTTP/1.1 401 Unauthorized" and the response contains a WWW-Authenticate
header that specifies what authentication scheme is expected (Basic
, Digest
), the security realm and any other specific value (like Digets's nonce). So if the server responds with:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="example.com",
qop="auth,auth-int",
nonce="...",
opaque="..."
it wants a Digest authentication. If the response looks like:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="example.com"
then it wants a Basic authentication. Some (poorly) implemented servers/sites don't handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.
NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value NTLM
, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.
Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With