-
Notifications
You must be signed in to change notification settings - Fork 46
WWW-Authenticate:x-Basic instead Basic #33
Comments
Took a bit of research to figure out what you were getting at, but I think it's this: In other words, instead of: HTTP/1.1 200 OK
WWW-Authenticate: Basic realm=api We'd send this: HTTP/1.1 200 OK
WWW-Authenticate: xBasic realm=api (and similarly for Digest). @ezimuel What are your thoughts? This would break any services that you also decide to expose as HTML (as the authentication challenge dialog would never be presented), but would make it work properly when you are trying to access the API service via a browser. That said... I've used Angular to access APIs that have HTTP Basic or Digest authentication, and not seen any request for a popup when making XHR requests. What library are you using when you see this, @fabioginzel ? and what browser/OS combination(s)? |
@weierophinney this occurs if you use a standard xhr in javascript without sending the authentication header. @fabioginzel did you try to set the Authorization header before the send? Here there is an example using jquery: http://blog.rassemblr.com/2011/05/jquery-ajax-and-rest-http-basic-authentication-done-deal/ |
@weierophinney I'm using Chrome 35 in Ubuntu 14.04 and AngularJS |
Help-me :) |
@fabioginzel We're still researching. We'll update here when we have any fixes. Changing the header at this point, however, could have backwards breaking implications for existing users, so we need to choose an approach carefully. |
An approach could be:
About backward compatibilityIt is currently possible to setup an authentication adapter per API. Thus, I don't see any problem there. The developer could setup an HTTP authentication adapter for a specific API/VERSION. Anyway, generally, API calls are never made through a browser. They are done through a specific user agent such as cURL, API client library or even XHR call and all doesn't care about challenge box. They only have interest in HTTP status code (401 here) and the WWW-Authenticate header to known which schemes are available. |
This repository has been closed and moved to laminas-api-tools/api-tools-mvc-auth; a new issue has been opened at laminas-api-tools/api-tools-mvc-auth#23. |
In Chrome when we return WWW-Authenticate:Basic and 401 status in xhr request it show a popup, to not show the popup must return x-base.
Sorry about my english
The text was updated successfully, but these errors were encountered: