Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: netrc Bearer Token Support?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Tue, 16 Sep 2025 09:39:30 -0400
On Tue, Sep 16, 2025 at 7:32 AM Bastian Jesuiter via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I am regularly using bearer tokens to access multiple apis instead of basic auth.
>
> The netrc file only seems to support basic auth,
> Would it be possible (for curl) to parse the "password" field as "Bearer" token, either implicitly or explicitly (by adding the bearer at the beginning of the password field), when the login field is missing?
>
> Alternatively are there RFCs for the dotnetrc file where the parsing rules are defined?
> Or is this more of a silent agreement for the format?
>
> A lot of services are transitioning away from basic auth.
I don't know if there's a RFC covering the netrc file. I suspect not
based on a quick search of IETF documents.
Related to your question... Most (all?) IETF protocols that were
designed to use basic auth schemes, like email, will not receive an
update to handle a second factor, like OTP codes or TOTP and HOTP
codes. Instead, SASL is used to provide the additional authentication
factor. See RFC 4422, Simple Authentication and Security Layer (SASL),
<https://datatracker.ietf.org/doc/html/rfc4422>.
And SASL would explain why many email services still only use a
username and password. There's nothing "simple" about SASL.
Jeff
Date: Tue, 16 Sep 2025 09:39:30 -0400
On Tue, Sep 16, 2025 at 7:32 AM Bastian Jesuiter via curl-users
<curl-users_at_lists.haxx.se> wrote:
>
> I am regularly using bearer tokens to access multiple apis instead of basic auth.
>
> The netrc file only seems to support basic auth,
> Would it be possible (for curl) to parse the "password" field as "Bearer" token, either implicitly or explicitly (by adding the bearer at the beginning of the password field), when the login field is missing?
>
> Alternatively are there RFCs for the dotnetrc file where the parsing rules are defined?
> Or is this more of a silent agreement for the format?
>
> A lot of services are transitioning away from basic auth.
I don't know if there's a RFC covering the netrc file. I suspect not
based on a quick search of IETF documents.
Related to your question... Most (all?) IETF protocols that were
designed to use basic auth schemes, like email, will not receive an
update to handle a second factor, like OTP codes or TOTP and HOTP
codes. Instead, SASL is used to provide the additional authentication
factor. See RFC 4422, Simple Authentication and Security Layer (SASL),
<https://datatracker.ietf.org/doc/html/rfc4422>.
And SASL would explain why many email services still only use a
username and password. There's nothing "simple" about SASL.
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-16