When passing username and password encoded in URL, eg: https://Aladdin:[email protected]/index.html
Is the client in fact sending this in Authorization header? What kind of processing is needed on server side for this kind of URL encoding?
Basic HTTP authentication You need to generate a Base64-encoded credential with the Customer ID and Customer Secret provided by Agora and pass the credential to the Authorization parameter in the request header.
The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.
Basic authentication is a simple authentication scheme built into the HTTP protocol. The client sends HTTP requests with the Authorization header that contains the word Basic word followed by a space and a base64-encoded string username:password .
To solve general case of special characters: Just open chrome console with F12 then paste encodeURIComponent(str) where str is your password (or username) and then use the encoded result to form url with password.
Is the client in fact sending this in Authorization header?
It depends on what the client is. If the client is a browser, the answer is no. Here is the experiment result:
Generally speaking, browser will ignore authenticate information proactively sent in URL, for security reason.
However, if the client is a development tool, the authenticate information may be encoded in base64 and sent as Authorization header. Here is some experiment result:
Whether the authorization header is sent depends on the tool's design.
What kind of processing is needed on server side for this kind of URL encoding?
In server side, all you need to do is get the base64 encoded string from Authorization header, decode it, and check whether it is valid.
Would it be any different if HTTP protocol is used in example URL?
For security, yes, Authorization header through HTTP is very insecure. Base64 encoding/decoding will not make any security benefit, it can be decoded by everyone.
Otherwise, they are the same.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With