Menu
I have a rails app with this controller:
class EpisodesController < ApplicationController
before_action :authenticate
def index
episodes = Episode.all
render json: episodes, status: 200
end
protected
def authenticate
authenticate_or_request_with_http_token do |token, options|
User.find_by(auth_token: token)
end
end
end
If I send this curl request, I get back this response with these headers:
$ curl -IH "Authorization: Token token=fake" http://localhost:3000/episodes.json
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=utf-8
WWW-Authenticate: Token realm="Application"
What is the www-authenticate header used for? Is it just convention? What is the realm="application" used for? I read this:
The Token part means that the given resource uses token authentication. The resource under that URI is currently part of the “Application” realm. The realm value allows protected resources to be partitioned into different sets of protection spaces, each with its own access policies.
But I don't get it...
486
The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.
The 'Basic' Authentication Scheme. The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server.
The token-based verification method works simply. The user enters his details and sends the request to the server. If the information is correct, the server creates a unique HMACSHA256 encoded token, also known as the JSON (JWT) web token.
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.
The WWW-Authenticate Header must be included with 401 Unauthorized responses (see HTTP 1.1 RFC) so it's not only a convention.
With the value you can indicate which authentication mechanism is supported (in this case Token, another auth scheme could be Basic for Basic Authentication). The realm can be set to any value you want and should identify the secure area. In case of Basic Auth this value will be displayed on the login dialog.
114
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
