SyntaxFix

[rest] Basic HTTP and Bearer Token Authentication

I am currently developing a REST-API which is HTTP-Basic protected for the development environment. As the real authentication is done via a token, I'm still trying to figure out, how to send two authorization headers.

I have tried this one:

curl -i http://dev.myapp.com/api/users \
  -H "Authorization: Basic Ym9zY236Ym9zY28=" \
  -H "Authorization: Bearer mytoken123"

I could for example disable the HTTP-Authentication for my IP but as I usually work in different environments with dynamic IPs, this is not a good solution. So am I missing something?

This question is related to rest curl basic-authentication access-token restful-authentication

The answer is

curl --anyauth

Tells curl to figure out authentication method by itself, and use the most secure one the remote site claims to support. This is done by first doing a request and checking the response- headers, thus possibly inducing an extra network round-trip. This is used instead of setting a specific authentication method, which you can do with --basic, --digest, --ntlm, and --negotiate.

Standard (https://tools.ietf.org/html/rfc6750) says you can use:

  • Form-Encoded Body Parameter: Authorization: Bearer mytoken123
  • URI Query Parameter: access_token=mytoken123

So it's possible to pass many Bearer Token with URI, but doing this is discouraged (see section 5 in the standard).

With nginx you can send both tokens like this (even though it's against the standard):

Authorization: Basic basic-token,Bearer bearer-token

This works as long as the basic token is first - nginx successfully forwards it to the application server.

And then you need to make sure your application can properly extract the Bearer from the above string.

If you are using a reverse proxy such as nginx in between, you could define a custom token, such as X-API-Token.

In nginx you would rewrite it for the upstream proxy (your rest api) to be just auth:

proxy_set_header Authorization $http_x_api_token;

... while nginx can use the original Authorization header to check HTTP AUth.

There is another solution for testing APIs on development server.

  • Set HTTP Basic Authentication only for web routes
  • Leave all API routes free from authentication

Web server configuration for nginx and Laravel would be like this:

    location /api {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location / {
        try_files $uri $uri/ /index.php?$query_string;

        auth_basic "Enter password";
        auth_basic_user_file /path/to/.htpasswd;
    }

Authorization: Bearer will do the job of defending the development server against web crawlers and other unwanted visitors.

I had a similar problem - authenticate device and user at device. I used a Cookie header alongside an Authorization: Bearer... header. One header authenticated the device, the other authenticated the user. I used a Cookie header because these are commonly used for authentication.

Try this one to push basic authentication at url:

curl -i http://username:[email protected]/api/users -H "Authorization: Bearer mytoken123"
               ^^^^^^^^^^^^^^^^^^

If above one doesn't work, then you have nothing to do with it. So try the following alternates.

You can pass the token under another name. Because you are handling the authorization from your Application. So you can easily use this flexibility for this special purpose.

curl -i http://dev.myapp.com/api/users \
  -H "Authorization: Basic Ym9zY236Ym9zY28=" \
  -H "Application-Authorization: mytoken123"

Notice I have changed the header into Application-Authorization. So from your application catch the token under that header and process what you need to do.

Another thing you can do is, to pass the token through the POST parameters and grab the parameter's value from the Server side. For example passing token with curl post parameter:

-d "auth-token=mytoken123"

Source: Stackoverflow.com

Examples related to rest

Access blocked by CORS policy: Response to preflight request doesn't pass access control check Returning data from Axios API Access Control Origin Header error using Axios in React Web throwing error in Chrome JSON parse error: Can not construct instance of java.time.LocalDate: no String-argument constructor/factory method to deserialize from String value How to send json data in POST request using C# How to enable CORS in ASP.net Core WebAPI RestClientException: Could not extract response. no suitable HttpMessageConverter found REST API - Use the "Accept: application/json" HTTP Header 'Field required a bean of type that could not be found.' error spring restful API using mongodb MultipartException: Current request is not a multipart request

Examples related to curl

What is the incentive for curl to release the library for free? curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number Converting a POSTMAN request to Curl git clone error: RPC failed; curl 56 OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 10054 How to post raw body data with curl? Curl : connection refused How to use the curl command in PowerShell? Curl to return http status code along with the response How to install php-curl in Ubuntu 16.04 curl: (35) SSL connect error

Examples related to basic-authentication

Use Invoke-WebRequest with a username and password for basic authentication on the GitHub API How to define the basic HTTP authentication using cURL correctly? Spring Security exclude url patterns in security annotation configurartion Basic HTTP and Bearer Token Authentication HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers Calling a rest api with username and password - how to What is the "realm" in basic authentication How to prevent browser to invoke basic auth popup and handle 401 error using Jquery? Proxy Basic Authentication in C#: HTTP 407 error What is the difference between Digest and Basic Authentication?

Examples related to access-token

Sending the bearer token with axios Basic HTTP and Bearer Token Authentication python request with authentication (access_token) Not receiving Google OAuth refresh token How to refresh token with Google API client? Get refresh token google api Facebook Access Token for Pages facebook Uncaught OAuthException: An active access token must be used to query information about the current user Why Does OAuth v2 Have Both Access and Refresh Tokens?

Examples related to restful-authentication

Basic HTTP and Bearer Token Authentication RESTful web service - how to authenticate requests from other services? Do sessions really violate RESTfulness? How to secure RESTful web services? RESTful Authentication

Tags

Pyro Dbd Drawrect Fields-for Clipper Humanize Web-container Invalid-url Writers Color-blending Reference-type Quaternions Shared-data Functional-testing higher-order-components Nativewindow Peaberry Getaddrinfo-a Hourglass Vimpulse Dhcpobjs Action-caching Login Asio Log4cpp Monochrome Continuous-forms Validationerror Arraybuffer Vanity-url Http-response-codes Imagick Static-content Long-running-processes Pow Subquery Coded-ui-tests Openform Static-site Shark Non-web Fluent-interface Vxworks Ocsp Persistence.xml Datapersistance Opengl-es Nspanel Webclient.uploaddata Jpgraph Precompiling Wisa Httplib Min-heap Key-value-coding Isolation Cdc 7-bit Adaption Lockless Nspredicateeditor Unsafe Flash-media-server Opencascade Hierarchyid Generics Dll-injection Future Big-o Applescript-studio Feedburner Detailsview Php-socket Biztalk-mapper Payment-processing Luasocket Javabeans Qtableview Topic-maps Lvalue-to-rvalue Dirtyrectangle Keyboard Lame Data-exchange Objectinstantiation Money-format Refinerycms Odf Ones-complement Pyopengl Google-voice Instant-message Http-status-code-307 Approximate-nn-searching Linker-warning Database-design Highlight Counter-cache Media-queries Mmx