tags:

views:

18

answers:

1
Q: 

Multiple authentication schemes for HTTP 'Authorization' Header

For our api user we need two styles of authentication:

  • authenticate the api-user (mobile-device, partner integration)
  • authenticate a specific "normal" user, which owns data on our side

The standard challenge vs. response is handled through WWW-Authenticate and Authorization Headers. I want to reuse this.

I have following use-case: On first level we authenticate the api-user (e.g. mobile device), for some api-actions we also need to authenticate a user (e.g. user of mobile device). So we have a special case where we need two authentications schemes "at once".

Looking at http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html I cannot see that having two different schemes inside one 'Authorization' Header is possible.


// I just made up delimiter ';'
Authorization: Digest .... ; CustomXXX ...

Am I correct, if so is there an alternative?

+1  A: 

No, Authorization can only take one set of credentials.

Julian Reschke  2010-09-21 15:58:41
Yeah, for that reason I cannot reuse the WWW-Authenticate for my problem but go for a custom X-xxx Authentication scoped Header.
manuel aldana  2010-09-24 22:03:12

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.