Basic HTTP and Bearer Token Authentication

Question

I am currently developing a REST-API which is HTTP-Basic protected for the development environment  As the real authentication is done via a token  I m still trying to figure out  how to send two authorization headers   I have tried this one   curl -i http   dev myapp com api users     -H  Authorization  Basic Ym9zY236Ym9zY28       -H  Authorization  Bearer mytoken123    I could for example disable the HTTP-Authentication for my IP but as I usually work in different environments with dynamic IPs  this is not a good solution  So am I missing something

User · Answer

I had a similar problem - authenticate device and user at device  I used a Cookie header alongside an Authorization  Bearer    header  One header authenticated the device  the other authenticated the user  I used a Cookie header because these are commonly used for authentication

User · Answer

Standard  https   tools ietf org html rfc6750  says you can use    Form-Encoded Body Parameter  Authorization  Bearer mytoken123 URI Query Parameter  access token mytoken123   So it s possible to pass many Bearer Token with URI  but doing this is discouraged  see section 5 in the standard

User · Answer

There is another solution for testing APIs on development server    Set HTTP Basic Authentication only for web routes Leave all API routes free from authentication   Web server configuration for nginx and Laravel would be like this       location  api           try files  uri  uri   index php  query string             location             try files  uri  uri   index php  query string           auth basic  Enter password           auth basic user file  path to  htpasswd          Authorization  Bearer will do the job of defending the development server against web crawlers and other unwanted visitors

User · Answer

Try this one to push basic authentication at url   curl -i http   username password dev myapp com api users -H  Authorization  Bearer mytoken123                                      If above one doesn t work  then you have nothing to do with it  So try the following alternates   You can pass the token under another name  Because you are handling the authorization from your Application  So you can easily use this flexibility for this special purpose   curl -i http   dev myapp com api users     -H  Authorization  Basic Ym9zY236Ym9zY28       -H  Application-Authorization  mytoken123    Notice I have changed the header into Application-Authorization  So from your application catch the token under that header and process what you need to do   Another thing you can do is  to pass the token through the POST parameters and grab the parameter s value from the Server side  For example passing token with curl post parameter   -d  auth-token mytoken123

User · Answer

With nginx you can send both tokens like this  even though it s against the standard    Authorization  Basic basic-token Bearer bearer-token   This works as long as the basic token is first - nginx successfully forwards it to the application server   And then you need to make sure your application can properly extract the Bearer from the above string

User · Answer

curl --anyauth       Tells curl to figure out authentication method by itself  and use the   most secure one the remote site claims  to  support  This is done by   first doing a request and checking the response- headers  thus   possibly inducing  an  extra  network  round-trip  This  is  used    instead  of  setting  a  specific authentication method  which you can   do with  --basic   --digest   --ntlm   and   --negotiate

User · Answer

If you are using a reverse proxy such as nginx in between  you could define a custom token  such as X-API-Token   In nginx you would rewrite it for the upstream proxy  your rest api  to be just auth   proxy set header Authorization  http x api token        while nginx can use the original Authorization header to check HTTP AUth

[rest] Basic HTTP and Bearer Token Authentication

Examples related to rest

Examples related to curl

Examples related to basic-authentication

Examples related to access-token

Examples related to restful-authentication