Send initial request with authentication header
skogl opened this issue · 6 comments
I have a working implementation of okhttp-digest that handles both digest and basic authentication. The problem for me is that it seems as if the initial request does not send a authentication header but instead wait for that initial request to respond with a 401 challenge and then the next request included the authentication header. The server handles both unauthenticated as well as authenticated requests with the difference that unauthenticated requests gets a different response (non-protected content) than the authenticated request.
So my question is: is there a way to force using the authentication header on the initial request to avoid being served the unauthenticated response?
For http BASIC auth this is trivial. For digest it's IMHO not so easy since usually the digest is a handshake between server and client where both parties trade nonces. AFAIR there is a way to do that but it would probably require a lot of new code that doesn't exist in okhttp-digest.
Thanks for the reply!
I suspected this was the case. Maybe I can do some other intercept trick in okhttp to "fix" it? Say for instance that if my "require authentication" flag is set I check to see if the authentication header is present in the response and if it's not I simply throw exception/break chain. That way anonymous requests only work when authentication flag is not set.
What do you think of such solution?
To get preemptive HTTP Basic Authentication you can simply add the basic auth header yourself: https://stackoverflow.com/a/57360804/464773.
Alternatively you can use the https://github.com/rburgst/okhttp-digest/blob/master/src/main/java/com/burgstaller/okhttp/AuthenticationCacheInterceptor.java and pre-inject the HTTP Basic Authentication.
As said earlier, this wont work for digest as currently there is no way to pre-authenticate digest authentication.
The only thing that you could do for digest auth is to make a first request directly to a server endpoint that produces a 401.
Yes, thank you. Before using this package I was adding my own interceptor for basic authentication. The issue I'm having is when a server can handle both anonymous and logged in content and I want to force the logged in content.
I understand what you are saying. I will do some more tests before dropping this entirely.
Is this issue Fixed or just Closed (Completed)?
As I didn't get any more feedback I closed this ticket.