Best IT Recipes

Set HTTP Authorization Header

I need to authenticate a client when it sends an API request. The client has an API token, and I was thinking of using the standard Authorization header to send the token to the server.

Typically, this header is used for Basic and Digest authentication. But I don’t know if I am allowed to adjust the value of this header and use user authentication, for example:

 Authorization: Token 1af538baa9045a84c0e889f672baf83ff24

Would you recommend it or not? Or is there a better approach to sending a token?

+68
rest api authorization
Dec 11 '11 at 12:05
source share
5 answers

You can create your own authentication schemes that use the Authorization: header Authorization: - for example, this works OAuth .

Typically, if servers or proxies do not understand the meaning of standard headers, they will leave them alone and ignore them. It creates your own header keys, which can often produce unexpected results - many proxies will share headers with names that they do not recognize.

Having said that, it might be better to use cookies to transfer the token rather than the Authorization: header, for the simple reason that cookies were explicitly designed to carry user-defined values, while the HTTP specification built into auth methods doesn't really say in Anyway - if you want to see exactly what he is saying, look here .

Another point in this is that many HTTP client libraries have built-in support for Digest and Basic auth, but can make life harder when you try to set the raw value in the header field, while they all provide easy support for cookies and allow more or less any value inside them.

+40
Dec 11 '11 at 1:30 p.m.
source

If prompted by CROSS ORIGIN, read the following:

I ran into this situation, and first decided to use the Authorization header, and then deleted it, faced with the following problem.

Authorization title is treated as a custom title. Therefore, if a cross-domain request is performed using the Autorization Header, the browser first sends the request before the flight. A preprofessional request is an HTTP request using the OPTIONS method, which separates all the parameters. Your server should respond with an Access-Control-Allow-Headers header that has the value of your custom header ( Authorization header).

Thus, for each request sent by the client (browser), the browser requests an additional HTTP request (OPTIONS). This has degraded the performance of my API. You should check if this reduces performance. As a workaround, I send tokens in the http parameters, which, as I know, is not the best way to do this, but I could not compromise performance.

+6
Feb 20 '16 at 15:33
source

This is a bit outdated, but there may be others looking for answers to the same question. You should consider which security spaces make sense for your APIs. For example, you might want to identify and authenticate client application access to your APIs to limit their use to known registered client applications. In this case, you can use the Basic verification scheme with the client ID as the user password and the client ID as the password. You do not need proprietary authentication schemes that simply clearly identify the ones that will be used by clients for each security location. I prefer only one for each security location, but HTTP standards allow you to use both multiple authentication schemes in each WWW-Authenticate response and multiple WWW-Authenticate headers in each response; this will confuse for API clients which options to use. Be consistent and understandable, then your APIs will be used.

+4
Nov 04 '15 at 16:31
source

I would recommend not using HTTP authentication with custom schema names. If you feel that you have something in common, you can define a new scheme. See http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-latest.html#rfc.section.2.3 for details.

+1
Dec 11 2018-11-11T00:
source

Please try below on the postman: -

The example header section works for me ..

Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyIkX18iOnsic3RyaWN0TW9kZSI6dHJ1ZSwiZ2V0dGVycyI6e30sIndhc1BvcHVsYXRlZCI6ZmFsc2UsImFjdGl2ZVBhdGhzIjp7InBhdGhzIjp7InBhc3N3b3JkIjoiaW5pdCIsImVtYWlsIjoiaW5pdCIsIl9fdiI6ImluaXQiLCJfaWQiOiJpbml0In0sInN0YXRlcyI6eyJpZ25vcmUiOnt9LCJkZWZhdWx0Ijp7fSwiaW5pdCI6eyJfX3YiOnRydWUsInBhc3N3b3JkIjp0cnVlLCJlbWFpbCI6dHJ1ZSwiX2lkIjp0cnVlfSwibW9kaWZ5Ijp7fSwicmVxdWlyZSI6e319LCJzdGF0ZU5hbWVzIjpbInJlcXVpcmUiLCJtb2RpZnkiLCJpbml0IiwiZGVmYXVsdCIsImlnbm9yZSJdfSwiZW1pdHRlciI6eyJkb21haW4iOm51bGwsIl9ldmVudHMiOnt9LCJfZXZlbnRzQ291bnQiOjAsIl9tYXhMaXN0ZW5lcnMiOjB9fSwiaXNOZXciOmZhbHNlLCJfZG9jIjp7Il9fdiI6MCwicGFzc3dvcmQiOiIkMmEkMTAkdTAybWNnWHFjWVQvdE41MlkzZ2l3dVROd3ZMWW9ZTlFXejlUcThyaDIwR09IMlhHY3haZWUiLCJlbWFpbCI6Im1hZGFuLmRhbGUxQGdtYWlsLmNvbSIsIl9pZCI6IjU5MjEzYzYyYWM2ODZlMGMyNzI2MjgzMiJ9LCJfcHJlcyI6eyIkX19vcmlnaW5hbF9zYXZlIjpbbnVsbCxudWxsLG51bGxdLCIkX19vcmlnaW5hbF92YWxpZGF0ZSI6W251bGxdLCIkX19vcmlnaW5hbF9yZW1vdmUiOltudWxsXX0sIl9wb3N0cyI6eyIkX19vcmlnaW5hbF9zYXZ lIjp bXSwiJF9fb3JpZ2luYWxfdmFsaWRhdGUiOltdLCIkX19vcmlnaW5hbF9yZW1vdmUiOltdfSwiaWF0IjoxNDk1MzUwNzA5LCJleHAiJjB0UKNJA0KBJU0KBJZ0JB0KBJZ0JB0UJZ0BJU0KJB0UJZ0BJU0KJB0UJZ0FIBODUFZ

0
May 21 '17 at 7:33
source


More articles:


All Articles