curl-library
Re: Problem with DIGEST and multiple authorization headers
Date: Mon, 10 Jul 2017 14:30:15 +0200
As I am not a developer, I am not sure how to do such an API. We use the
Curl as a command line tool and integrated in an open source REST testing
client.
(By the way, the developer of our testing client, which is based on
libcurl, would like to implement the realm aware auth API, as soon as this
is available.)
For the before-hand approach I could envision an API like this:
If useful add a new parameter (bitmask) in option CURLOPT_HTTPAUTH
(alternativly :
CURLAUTH_DIGEST_REALM
HTTP Digest authentication with specific realm(s).
(Alternatively, the realm aware authentication could be set implicitly
when the next parameter is set.)
(New) Option "CURLOPT_REALM"
SYNOPSIS:
CURLcode curl_easy_setopt(CURL *handle, CURLOPT_REALM, char
*authenticationrealm);
EXAMPLE:
CURL *curl = curl_easy_init();
if(curl) {
CURLcode ret;
curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
/* set realm aware authentication */
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST_REALM );
curl_easy_setopt(curl, CURLOPT_REALM, "RealmT1" );
curl_easy_setopt(curl, CURLOPT_USERPWD, "james:bond");
ret = curl_easy_perform(curl);
}
For the command line I would also suggest an extra option to be able to set
the realm beforehand, which can be used in combination with --digest and
--user for example:
--realm <authentication-realm>
(HTTP) Enables HTTP realm aware Digest authentication. Tells libcurl
upfront which realm(s) are interesting, and have libcurl automatically pick
the first that matches and ignore the rest. Use this in combination with
--digest and the normal -u, --user
<https://curl.haxx.se/docs/manpage.html#-u> options to set the
authentication method as well as user name and password.
What do you think about the approach?
2017-07-07 12:04 GMT+02:00 Daniel Stenberg <daniel_at_haxx.se>:
> On Thu, 22 Jun 2017, Daniel Schwarz via curl-library wrote:
>
> Yes, I agree with you. The round-trip in case of 401s is actually not an
>> efficient way for authentication. Whenever multiple authentication headers
>> come into place, the user should know which realm to use. So we should
>> focus on setting one realm directly. In our use cases we always know the
>> realm before. So it would be completely fine. On client side I would assume
>> to get the option of setting a specific Realm as an authentication
>> parameter. I cannot evaluate how it is best to implement in libcurl. The
>> callback also sounds like a good approach. I could imagine in case of a
>> failed auth due to a differing realm the client could give a more accurate
>> feedback to the user.
>>
>
> So if you got to decide how to do such an API, entirely for your own use
> case, how do you envision it would work?
>
> I've started writing down the background and the current limitations in a
> wiki page:
>
> https://github.com/curl/curl/wiki/Realm-aware-auth-API
>
> ... as you can see, there's no details for the suggested API just yet!
>
> --
>
> / daniel.haxx.se
>
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-07-10