Best IT Recipes

Basic HTTP Authentication and Subscriber ID

I am currently developing a REST API that is protected by an HTTP base for a development environment. Since real authentication is done through the token, I'm still trying to figure out how to send two authorization headers.

I tried this:

curl -i http://dev.myapp.com/api/users \ -H "Authorization: Basic Ym9zY236Ym9zY28=" \ -H "Authorization: Bearer mytoken123"

I could, for example, disable HTTP authentication for my IP address, but since I usually work in different environments with dynamic IP addresses, this is not a good solution. So am I missing something?

+60
rest curl restful-authentication access-token basic-authentication
Mar 06 '14 at 16:16
source share
3 answers

Try this to perform basic authentication by URL:

 curl -i http://username:password@dev.myapp.com/api/users -H "Authorization: Bearer mytoken123" ^^^^^^^^^^^^^^^^^^

If the above one does not work, then you have nothing to do with it. Therefore, try the following alternatives.

You can transfer the token under a different name. Because you are processing authorization from your Application. Thus, you can easily use this flexibility for this special purpose.

 curl -i http://dev.myapp.com/api/users \ -H "Authorization: Basic Ym9zY236Ym9zY28=" \ -H "Application-Authorization: mytoken123"

Notice that I changed the title to Application-Authorization . Therefore, from your application, catch the token under this heading and process what you need to do.

Another thing you can do is pass token parameters through POST and capture the parameter value from the server side. For example, passing a token with the curl post parameter:

 -d "auth-token=mytoken123"
+33
Mar 21 '14 at 17:04
source

The standard ( https://tools.ietf.org/html/rfc6750 ) says that you can use:

  • Coded Body Shape: Authorization: Bearer mytoken123
  • URI request parameter: access_token = mytoken123

Thus, it is possible to skip a multi-valued token with a URI, but this is not recommended (see section 5 in the standard).

+19
Aug 12 '15 at 7:36
source

curl --anyauth

Tells curl to figure out the authentication method itself, and use the most secure one that the remote site claims to support. This is done by first executing the request and checking the response headers, thus possibly calling an additional round-trip network. This is used instead of setting a specific authentication method that you can do with - basic, --digest, --ntlm and --negotiate.

+1
Mar 26 '14 at 20:30
source


More articles:


All Articles