New Message Search Latest Redo
West Wind Internet and Client Tools
wwHTTP Basic authorization header problem
Gravatar is a globally recognized avatar based on your email address. wwHTTP Basic authorization header problem
  Carl Chambers
  All
4UC1B8UQZ
  Feb 6, 2017 @ 10:02pm
Reply

Web Connection 6.0
I'm trying to receive a Basic Authorization header and I'm puzzled.
Here's the client-side code...

DO wwhttp.prg
loHTTP = CREATEOBJECT("wwHTTP")

lcUserID = "carl"
lcPassword = "test"
*lcHeader = "Basic " + STRCONV(lcUserID + ":" + lcPassword, 13)
lcHeader = "Basic " + lcUserID + ":" + lcPassword   && simplify it for now
loHTTP.AddHeader("Authorization",lcHeader)

lcURL = "http://localhost/psparts/testpage.psp"
lcResponse = loHTTP.HTTPGet(m.lcURL)
MESSAGEBOX(lcResponse)

Here's the server-side code...

FUNCTION TestPage()
*******************
lcAuthHeader = Request.ServerVariables("HTTP_AUTHORIZATION")
Response.Write(lcAuthHeader)

Here's the response...

Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIGAbEdAAAADzB1v5z1H/tJYl0D4C89tgajEgQQAQAAAB9pVbNwANPmAAAAAA==

If I change "Basic" to "AnythingElse" in lcHeader, the response is...

AnythingElse carl:test

This appears to be by design because I get the "Negotiate" response if the word "basic" is found anywhere before the username. I just don't understand why.

More importantly, I need to receive a basic authorization header from another party and I don't how I can do it. Yes, it will over SSL but if something other than basic is not overly difficult, I'm open to it.

Thanks,
Carl

Gravatar is a globally recognized avatar based on your email address. re: wwHTTP Basic authorization header problem
  Carl Chambers
  Carl Chambers
4UD0KWZGF
  Feb 7, 2017 @ 09:45am
Reply

Ok, I've been reading all morning and I clearly have a thorough misunderstanding of the whole thing.
I need to allow web sites or desktop clients to access my web API (over SSL) and I've come across varying opinions about custom authorization headers.

This one looks pretty simple...

X-Authorization: UserName APIToken

Is this a good idea?

Thanks,
Carl

Gravatar is a globally recognized avatar based on your email address. re: wwHTTP Basic authorization header problem
  Rick Strahl
  Carl Chambers
4UD13DI86
  Feb 7, 2017 @ 06:22pm
Reply

There are a few problems here, but it basically boils down to this: You likely have Windows and Basic Authentication enbabled in IIS and the server is trying to authenticate against Windows. You're sending arbitray credentials that are not validating against Windows so the request is getting rejected or pushed up to the next authentication layer which is Windows Auth.

I think the simple solution is to simply disable Basic authentication in the IIS, which then causes the header to just pass through to your application.

Note this may cause some other problems with Admin request authentication however, so it might take some experimentation to catch the right balance.

If you have a choice I would think about some other authentication mechanism. Use a token or pass a custom string as your AnythingElse.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: wwHTTP Basic authorization header problem
  Carl Chambers
  Rick Strahl
4UD16FBWP
  Feb 7, 2017 @ 07:47pm
Reply

Yep, you've summed it up pretty well. I got into some unfamiliar territory and had no idea what was going on.

After a day of reading online, I think I'll just use a token for the authorization. If it's good enough for Stripe, it's good enough for me.

Thanks,
Carl

© 1996-2024