What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

http authentication openid http-headers
22,874

Solution 1

According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)

Solution 2

There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.

Share:
22,874
James A. Rosen
Author by

James A. Rosen

Updated on March 19, 2020

Comments

  • James A. Rosen
    James A. Rosen about 4 years

    The HTTP spec states:

    10.4.2 401 Unauthorized

    The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

    If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?

    Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?

  • Константин Ван
    Константин Ван over 4 years
    Updated by RFC 7235.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Using http basic authentication with Ajax call
Headers not being set on http Flutter
Flutter - VideoPlayer - Support http headers while constructing video controller from network datasource
flutter - no json is sent in the body of my http post
FLUTTER How to implement Digest Authentification
How can I add multiple headers in Flutter GET Api request
nginx auth_basic "Restricted" prompting login on every request
Powershell System.Net.WebClient Authentication
How do I set the request headers using Reqwest?
Online HTTP client