How to use HttpWebRequest.Credentials Property for Basic Authentication?
Solution 1
The server should send a HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.
WWW-Authenticate: Basic realm="example"
The PreAuthenticate property only works after authentication has taken place. From MSDN:
true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.
See other answers for more in depth explanation.
Solution 2
I've done some additional research based on Måns Tånneryd`s answer. And the link he posted in his comment: PreAuthenticate Property of WebRequest - Problem.
First of all as described in his link the HttpWebRequest.PreAuthenticate Property does NOT send the Authentication header PRE authentication, but pre sends it in following requests, after Authentication. From MSDN:
true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.
So even with the PreAuthenticate
property set to true, we still need an WWW-Authenticate challenge with a 401 Unauthorized before anything happens. Now if we try to authenticate against github with the following code:
WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user");
request.Credentials = new NetworkCredential("githubUsername", "githubPassword");
var response = request.GetResponse();
An WebException
will be thrown, because we don't get a WWW-Authenticate challenge. If we capture this in Fiddler we will get the following:
However if we try this, with the exact same code, against a website that does return a WWW-Authenticate challenge we will see the following in Fiddler:
And the response will have the result as expected.
Solution 3
I can successfull run this code accessing another server that also requires both SSL and authentication. This server differs from the github in that the github returns a json result saying that it requires authentication and the other server returns a "classic" 401 html page. Sniffing the network you can see that the .net code tries to do anonymous auth even if you do set preauth to true which I think is rather confusing. However, upon receiving a regular 401-page it tries again, and this time with the auth info and everything works. It seems to me though as if .net reacts differently upon receiving the json version of a 401, not making a second try.
I guess this is not the answer you are looking for but hopefully it sheds some more light on the situation.
Comments
-
Jos Vinke almost 2 years
How can I use the Webrequest
Credentials
Property to send an basic authentication header? Why isn't the Authorization header send with the request even whenPreAuthenticate
is set to true?WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user"); request.Credentials = new NetworkCredential("githubUsername", "githubPassword"); request.PreAuthenticate = true; var response = request.GetResponse();
-
Måns Tånneryd over 10 yearsI found both an explanation and a solution at Charles Cooks blog. Explanation is at cookcomputing.com/blog/archives/000580.html and a solution can be found at cookcomputing.com/blog/archives/000581.html.
-
Jos Vinke over 10 yearsThanks for your answer, it sheds a nice light on the situation. Also the links you provided are helpful. Tonight I'll take some more time and try if I can successful authenticate against another server. Is the server you tried a public server which I could try to authenticate as well? I still wonder if their is a way to handle the JSON 401 with the Credential Property / to Authenticate Github with it. So I'll leave the question open for now.
-
Måns Tånneryd over 10 yearsThe server I was using is, unfortunately, not public.
-
Jos Vinke over 10 yearsThanks Måns! I got it working and shared some off my findings in another answer and I have marked your answer as accepted.
-
Måns Tånneryd over 10 yearsHappy to be of assistance. I have stumbled upon this situation before but never taken the time to figure out how come the preauth property wasn't resulting in the behavior I expected and simply accepted that the request round trips twice instead of once.
-
Admin over 10 yearsThanks for that Jos. I am a lot more informed now.