Custom HTTP Authorization Header

Question

I was wondering if it s acceptable to put custom data in an HTTP authorization header  We re designing a RESTful API and we may need a way to specify a custom method of authorization  As an example  let s call it FIRE-TOKEN authentication   Would something like this be valid and allowed according to the spec  Authorization  FIRE-TOKEN 0PN5J17HBGZHT7JJ3X82 frJIUN8DYpKDtOLCwo  yllqDzg   The first part of the second string  before the      is the API key  the second part is a hash of query string

User · Answer

Put it in a separate  custom header    Overloading the standard HTTP headers is probably going to cause more confusion than it s worth  and will violate the principle of least surprise  It might also lead to interoperability problems for your API client programmers who want to use off-the-shelf tool kits that can only deal with the standard form of typical HTTP headers  such as Authorization

User · Answer

The format defined in RFC2617 is credentials   auth-scheme  auth-param  So  in agreeing with fumanchu  I think the corrected authorization scheme would look like  Authorization  FIRE-TOKEN apikey  0PN5J17HBGZHT7JJ3X82   hash  frJIUN8DYpKDtOLCwo  yllqDzg     Where FIRE-TOKEN is the scheme and the two key-value pairs are the auth parameters  Though I believe the quotes are optional  from Apendix B of p7-auth-19      auth-param   token BWS     BWS   token   quoted-string     I believe this fits the latest standards  is already in use  see below   and provides a key-value format for simple extension  if you need additional parameters    Some examples of this auth-param syntax can be seen here     http   tools ietf org html draft-ietf-httpbis-p7-auth-19 section-4 4  https   developers google com youtube 2 0 developers guide protocol clientlogin  https   developers google com accounts docs AuthSub WorkingAuthSub

User · Answer

No  that is not a valid production according to the  credentials  definition in RFC 2617  You give a valid auth-scheme  but auth-param values must be of the form token       token   quoted-string    see section 1 2   and your example doesn t use     that way

User · Answer

Old question I know  but for the curious   Believe it or not  this issue was solved  2 decades ago with HTTP BASIC  which passes the value as base64 encoded username password   See http   en wikipedia org wiki Basic access authentication Client side   You could do the same  so that the example above would become   Authorization  FIRE-TOKEN MFBONUoxN0hCR1pIVDdKSjNYODI6ZnJKSVVOOERZcEtEdE9MQ3dvLy95bGxxRHpnPQ

[http] Custom HTTP Authorization Header

Examples related to http

Examples related to rest

Examples related to header

Examples related to authorization