Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What WWW-Authenticate header should a http server return in a 401 response when using form-based authentication?

Tags:

rest

http

authentication

http-status-code-401

I have a web application with a Javascript part running on the browser. That frontend uses several HTTP endpoints (more or less REST). The frontend must be able to distinguish between 401 and 403 responses and must not receive the 3xx redirects usually used for human users.

Authorization is done with a plain form login (no Javascript involved there), then a session cookie is used (for both "REST" and normal requests).

What would be a correct value for the WWW-Authenticate header value?

  • From RFC 7235: "A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge."

  • The Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry does not list any scheme for form-based authentication.

See also:

  • HTTP 401 Unauthorized when not using HTTP basic auth?
  • Authorization in RESTful HTTP API, 401 WWW-Authenticate
like image 663
Gustave Avatar asked Jan 23 '18 18:01

Gustave

People also ask

What is WWW-authenticate header response?

The HTTP WWW-Authenticate response header defines the HTTP authentication methods ("challenges") that might be used to gain access to a specific resource. Note: This header is part of the General HTTP authentication framework, which can be used with a number of authentication schemes.

What is the name of the header used to require HTTP authentication?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.

What is HTTP header based authentication?

Authenticate users based on the user's information (username) received in the HTTP headers. This feature is commonly used in settings where a reverse proxy/vpn is used and it requires user authentication.

What is WWW-authenticate bearer?

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.”

1 Answers

What would be a correct value for the WWW-Authenticate header value?

There's no point in returning 401 and WWW-Authenticate when you are not using HTTP Authentication as described in the RFC 7235. In HTTP Authentication, the client is expected to send the credentials in the Authorization header of the request with an authentication scheme token.

If you want to send the credentials in the request payload using POST, the 403 status code you be more suitable to indicate that the server has refused the request.

like image 79
cassiomolin Avatar answered Sep 22 '22 19:09

cassiomolin
Sign in to Comment

Related questions

Angular resource custom URL is using query strings and POST parameters
How to Prevent Stack Trace from Spring Rest API Exception Handler returning HTTP status 400
Is it necessary to serialize objects for using @RequestBody @ResponseBody annotations
Django Rest API urlsplit error
Parse User object ACL
Is 200 OK required to have response body?
How do I destroy an http-only cookie while a server is offline?
Correct way to add location header to responses in NancyFx
How to forward a REST request to another resource?
spring boot override default REST exception handler
Angular2 template trying to render value before value returned from http.get
Why not Basic Auth everytime instead JWT?
Jersey client Post Request with x-www-form-urlencoded Fails
Spring : Why should I still use @RequestBody when my class is already annotated with @RestController?
Implementing REST API in Python with existing asyncio event loop
Unit Testing 'Location' header of Spring REST Controller
ERROR 403 (FORBIDDEN) :Your client does not have permission to get URL
Download file from Amazon S3 using REST API
How to submit multiple Spark applications in parallel without spawning separate JVMs?
Nesting CRUD paths in akka-http directives

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!