How to use HttpWebRequest.Credentials Property for Basic Authentication?

c# .net authentication
26,431

Solution 1

The server should send a HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.

WWW-Authenticate: Basic realm="example"

The PreAuthenticate property only works after authentication has taken place. From MSDN:

true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.

See other answers for more in depth explanation.

Solution 2

I've done some additional research based on Måns Tånneryd`s answer. And the link he posted in his comment: PreAuthenticate Property of WebRequest - Problem.

First of all as described in his link the HttpWebRequest.PreAuthenticate Property does NOT send the Authentication header PRE authentication, but pre sends it in following requests, after Authentication. From MSDN:

true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.

So even with the PreAuthenticate property set to true, we still need an WWW-Authenticate challenge with a 401 Unauthorized before anything happens. Now if we try to authenticate against github with the following code:

WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user");
request.Credentials = new NetworkCredential("githubUsername", "githubPassword");

var response = request.GetResponse();

An WebException will be thrown, because we don't get a WWW-Authenticate challenge. If we capture this in Fiddler we will get the following:

enter image description here

However if we try this, with the exact same code, against a website that does return a WWW-Authenticate challenge we will see the following in Fiddler:

enter image description here enter image description here

And the response will have the result as expected.

Solution 3

I can successfull run this code accessing another server that also requires both SSL and authentication. This server differs from the github in that the github returns a json result saying that it requires authentication and the other server returns a "classic" 401 html page. Sniffing the network you can see that the .net code tries to do anonymous auth even if you do set preauth to true which I think is rather confusing. However, upon receiving a regular 401-page it tries again, and this time with the auth info and everything works. It seems to me though as if .net reacts differently upon receiving the json version of a 401, not making a second try.

I guess this is not the answer you are looking for but hopefully it sheds some more light on the situation.

Share:
26,431
Jos Vinke
Author by

Jos Vinke

nl.linkedin.com/in/jvinke

Updated on July 09, 2022

Comments

  • Jos Vinke
    Jos Vinke almost 2 years

    How can I use the Webrequest Credentials Property to send an basic authentication header? Why isn't the Authorization header send with the request even whenPreAuthenticate is set to true?

    WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user");
request.Credentials = new NetworkCredential("githubUsername", "githubPassword");
request.PreAuthenticate = true;
var response = request.GetResponse();
  • Måns Tånneryd
    Måns Tånneryd over 10 years
    I found both an explanation and a solution at Charles Cooks blog. Explanation is at cookcomputing.com/blog/archives/000580.html and a solution can be found at cookcomputing.com/blog/archives/000581.html.
  • Jos Vinke
    Jos Vinke over 10 years
    Thanks for your answer, it sheds a nice light on the situation. Also the links you provided are helpful. Tonight I'll take some more time and try if I can successful authenticate against another server. Is the server you tried a public server which I could try to authenticate as well? I still wonder if their is a way to handle the JSON 401 with the Credential Property / to Authenticate Github with it. So I'll leave the question open for now.
  • Måns Tånneryd
    Måns Tånneryd over 10 years
    The server I was using is, unfortunately, not public.
  • Jos Vinke
    Jos Vinke over 10 years
    Thanks Måns! I got it working and shared some off my findings in another answer and I have marked your answer as accepted.
  • Måns Tånneryd
    Måns Tånneryd over 10 years
    Happy to be of assistance. I have stumbled upon this situation before but never taken the time to figure out how come the preauth property wasn't resulting in the behavior I expected and simply accepted that the request round trips twice instead of once.
  • Admin
    Admin over 10 years
    Thanks for that Jos. I am a lot more informed now.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Owin auth - how to get IP address of client requesting the auth token
Calling ASMX Service from C# app with Windows authentication?
Building a CredentialCache for HttpWebRequest.Credentials when redirects are uknown
Can't connect to SQL Server: "Login failed for user "."
Mixing Forms and Windows authentication in .Net 4.5
asmx web service: client authentication
why is use of "new NetworkCredential(username, password)" not working for Basic Authentication to my website (from a WinForms C# app)?
401 Unauthorized returned on GET request (https) with correct credentials
How to Use SHA1 or MD5 in C#?(Which One is Better in Performance and Security for Authentication)
.NET 4.5 Bug in UserPrincipal.FindByIdentity (System.DirectoryServices.AccountManagement)