Web Connection 6.0
I'm trying to receive a Basic Authorization header and I'm puzzled.
Here's the client-side code...
DO wwhttp.prg
loHTTP = CREATEOBJECT("wwHTTP")
lcUserID = "carl"
lcPassword = "test"
*lcHeader = "Basic " + STRCONV(lcUserID + ":" + lcPassword, 13)
lcHeader = "Basic " + lcUserID + ":" + lcPassword && simplify it for now
loHTTP.AddHeader("Authorization",lcHeader)
lcURL = "http://localhost/psparts/testpage.psp"
lcResponse = loHTTP.HTTPGet(m.lcURL)
MESSAGEBOX(lcResponse)
Here's the server-side code...
FUNCTION TestPage()
*******************
lcAuthHeader = Request.ServerVariables("HTTP_AUTHORIZATION")
Response.Write(lcAuthHeader)
Here's the response...
Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAAwAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAAAAAAABYAAAAAAAAAFgAAAAAAAAAWAAAABXCiOIGAbEdAAAADzB1v5z1H/tJYl0D4C89tgajEgQQAQAAAB9pVbNwANPmAAAAAA==
If I change "Basic" to "AnythingElse" in lcHeader, the response is...
AnythingElse carl:test
This appears to be by design because I get the "Negotiate" response if the word "basic" is found anywhere before the username. I just don't understand why.
More importantly, I need to receive a basic authorization header from another party and I don't how I can do it. Yes, it will over SSL but if something other than basic is not overly difficult, I'm open to it.
Thanks,
Carl
Ok, I've been reading all morning and I clearly have a thorough misunderstanding of the whole thing.
I need to allow web sites or desktop clients to access my web API (over SSL) and I've come across varying opinions about custom authorization headers.
This one looks pretty simple...
X-Authorization: UserName APIToken
Is this a good idea?
Thanks,
Carl
There are a few problems here, but it basically boils down to this: You likely have Windows and Basic Authentication enbabled in IIS and the server is trying to authenticate against Windows. You're sending arbitray credentials that are not validating against Windows so the request is getting rejected or pushed up to the next authentication layer which is Windows Auth.
I think the simple solution is to simply disable Basic authentication in the IIS, which then causes the header to just pass through to your application.
Note this may cause some other problems with Admin request authentication however, so it might take some experimentation to catch the right balance.
If you have a choice I would think about some other authentication mechanism. Use a token or pass a custom string as your AnythingElse
.
+++ Rick ---
Yep, you've summed it up pretty well. I got into some unfamiliar territory and had no idea what was going on.
After a day of reading online, I think I'll just use a token for the authorization. If it's good enough for Stripe, it's good enough for me.
Thanks,
Carl