Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

Tags:

http-headers

http

authentication

openid

The HTTP spec states:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?

Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?

like image 359
James A. Rosen Avatar asked Jun 02 '09 15:06

James A. Rosen

People also ask

What is the WWW-Authenticate header?

The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.

What is WWW-Authenticate negotiate?

The WWW-Authenticate: Negotiate header means that the server can use NTLM or Kerberos (at least on OS prior to Windows 7 and Win 2008 Server when additional security support providers were added) for authentication and encryption.

What is WWW-Authenticate basic realm?

The 'Basic' Authentication Scheme. The Basic authentication scheme is based on the model that the client needs to authenticate itself with a user-id and a password for each protection space ("realm"). The realm value is a free-form string that can only be compared for equality with other realms on that server.

How do I get http authentication?

A client that wants to authenticate itself with the server can then do so by including an Authorization request header with the credentials. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.

2 Answers

According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)

like image 81
Chris Boyle Avatar answered Sep 23 '22 18:09

Chris Boyle

There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.

like image 24
Andrew Arnott Avatar answered Sep 24 '22 18:09

Andrew Arnott
Sign in to Comment

Related questions

node.js http.get hangs after 5 requests to remote site
Is it possible to download a file with HTTP POST?
Handle HTTP error with NSURLSession?
multiple response.WriteHeader calls in really simple example?
Programmatically reading a web page
How to fetch a remote file (e.g. from Github) in a Puppet file resource?
What's the behavioral difference between HTTP Keep-Alive and Websockets?
wget: unable to resolve host address `http'
CLEARTEXT communication not permitted by network security policy working on my mobile
How do I add a header to urllib2 opener?
Throwing a 401 header with php without redirect
IIS w3svc error
Flutter Insecure http is not allowed by platform
RestSharp not deserializing JSON Object List, always Null
HttpClient retrieve all headers
Getting specific revision via http with VisualSVN Server
Is there a way to detect if a website is using SPDY?
CORS Access-Control-Max-Age is ignored
How to monitor HTTP (get, post etc) requests that my app is making in android
Security in Node.JS Webserver

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!