Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Signalling authentication failure in a RESTful API

Tags:

rest

http

http-response-codes

I'm writing a small application which exposes a simple REST-ish HTTP API. I'm stuck trying to decide how to signal a failure due to a lack of authorization.

The app does not have an API for authentication, but instead depends upon the presence of a cookie containing a session token obtained by the client via another service. The app verifies the session and uses the identity obtained through the verification process to perform app-specific authorization. There is no way for a client to authenticate directly to this app.

My problem is that the obvious HTTP status code for rejecting unauthorized requests, "401 Unauthorized", is specified in terms of the "WWW-Authenticate" header. See rfc2616 sec 10.4.2.

The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

I can't believe this is an uncommon problem. Is it common to simply overload 401 to include more general uses? What about browsers popping up auth/e dialogs (which incidentally I haven't seen in my testing, so maybe it doesn't happen for POSTs)?

Bottom line: is it OK to use 401 in this context, or is there a better solution?

like image 632
j0ni Avatar asked Oct 24 '09 18:10

j0ni

People also ask

How do I authenticate to your RESTful API?

Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .

What is authentication in RESTful API?

Authentication is stating that you are who are you are and Authorization is asking if you have access to a certain resource. When working with REST APIs you must remember to consider security from the start. RESTful API often use GET (read), POST (create), PUT (replace/update) and DELETE (to delete a record).

What are authentication failures?

Indicates that the identity asserted in the unsealed client-principal object cannot be authenticated. This authentication failure signifies that the application or database user identity in the registered domain is not authentic.

2 Answers

Typically, you'd send a 401 if the client can authenticate and solve the problem, but since you don't provide a way to authenticate in the API, I'd suggest returning a 403 error (forbidden) instead. This won't require the header and will indicate to the client that it is unable to access the service.

like image 79
tvanfosson Avatar answered Oct 06 '22 01:10

tvanfosson

Return something like this:

HTTP/1.1 401 Unauthorized Location: https://example.com/auth-app/login
like image 29
yfeldblum Avatar answered Oct 05 '22 23:10

yfeldblum
Sign in to Comment

Related questions

HTTPS Proxy Server in node.js
How can I print information about a NET:HTTPRequest for debug purposes?
What C++ library should I use to implement a HTTP client? [closed]
Http connection timeout on Android not working
Fetch a file from a local url with Python requests?
high performance application webserver in C/C++
System.Net.WebClient unreasonably slow
HttpStatus become deprecated in API level 22
How can I pass POST parameters in a URL?
How do I make php page return a 503 error (or anything non-200) [duplicate]
Get client's real IP address on Heroku
How to get host name with port from a http or https request
Enable HTTP2 with Tomcat in Spring Boot
Preemptive Basic Auth with HttpUrlConnection?
Serving gzipped content from django
In Node.js/Express, how do I automatically add this header to every "render" response?
HTTP POST: content-length header required?
Not buffered http.ResponseWritter in Golang
What is the best approach to handle large file uploads in a rails app?
"name" web pdf for better default save filename in Acrobat?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!