Menu
The HTTP spec states:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.
If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?
Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?
359
The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.
The WWW-Authenticate: Negotiate header means that the server can use NTLM or Kerberos (at least on OS prior to Windows 7 and Win 2008 Server when additional security support providers were added) for authentication and encryption.
The 'Basic' Authentication Scheme. The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server.
A client that wants to authenticate itself with the server can then do so by including an Authorization request header with the credentials. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.
According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)
81
There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.
24
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
