Menu
How do you determine if a REST webservice is using Basic, Kerberos, NTLM, or one of the many other authentication methods?
395
You can use https://www.getpostman.com/apps to know the type of authentication. Hit the url once from this, then from the errors you will get to know the type of authentication.
You can retrieve a string property called AuthenticationType on your user's identity object: User. Identity. AuthenticationType . This should be the accepted answer, as I have several type of authentication methods enabled and working on my site.
There are two types of headers WWW-Authenticate header and Proxy Authentication header. The header syntax looks like this: WWW-Authenticate: <type> realm=<realm>
When you send an unauthenticated request the service has to respond with a "HTTP/1.1 401 Unauthorized" and the response contains a WWW-Authenticate header that specifies what authentication scheme is expected (Basic, Digest), the security realm and any other specific value (like Digets's nonce). So if the server responds with:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="example.com",
qop="auth,auth-int",
nonce="...",
opaque="..."
it wants a Digest authentication. If the response looks like:
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm="example.com"
then it wants a Basic authentication. Some (poorly) implemented servers/sites don't handle the Basic correctly and respond directly with 403 Forbidden instead of challenging first.
NTLM is similar in as the server reponds with a 401 and a WWW-Authenticate header with the value NTLM, but there is no official public spec for it, since is Microsoft proprietary. There are various reverse engineered descriptions.
Unfortunately REST does not come with a WSDL style description of service to discover the authentication scheme used a priori.
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
