views:

18

answers:

1

For our api user we need two styles of authentication:

  • authenticate the api-user (mobile-device, partner integration)
  • authenticate a specific "normal" user, which owns data on our side

The standard challenge vs. response is handled through WWW-Authenticate and Authorization Headers. I want to reuse this.

I have following use-case: On first level we authenticate the api-user (e.g. mobile device), for some api-actions we also need to authenticate a user (e.g. user of mobile device). So we have a special case where we need two authentications schemes "at once".

Looking at http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html I cannot see that having two different schemes inside one 'Authorization' Header is possible.


// I just made up delimiter ';'
Authorization: Digest .... ; CustomXXX ...

Am I correct, if so is there an alternative?

+1  A: 

No, Authorization can only take one set of credentials.

Julian Reschke
Yeah, for that reason I cannot reuse the WWW-Authenticate for my problem but go for a custom X-xxx Authentication scoped Header.
manuel aldana