okhttp-digest icon indicating copy to clipboard operation
okhttp-digest copied to clipboard

Published 20 hours ago verified publisher icon rburgst

Send initial request with authentication header

Open skogl opened this issue 3 years ago • 4 comments

I have a working implementation of okhttp-digest that handles both digest and basic authentication. The problem for me is that it seems as if the initial request does not send a authentication header but instead wait for that initial request to respond with a 401 challenge and then the next request included the authentication header. The server handles both unauthenticated as well as authenticated requests with the difference that unauthenticated requests gets a different response (non-protected content) than the authenticated request. So my question is: is there a way to force using the authentication header on the initial request to avoid being served the unauthenticated response?

skogl avatar Jun 25 '21 08:06 skogl

For http BASIC auth this is trivial. For digest it's IMHO not so easy since usually the digest is a handshake between server and client where both parties trade nonces. AFAIR there is a way to do that but it would probably require a lot of new code that doesn't exist in okhttp-digest.

rburgst avatar Jun 25 '21 08:06 rburgst

Thanks for the reply!

I suspected this was the case. Maybe I can do some other intercept trick in okhttp to "fix" it? Say for instance that if my "require authentication" flag is set I check to see if the authentication header is present in the response and if it's not I simply throw exception/break chain. That way anonymous requests only work when authentication flag is not set.

What do you think of such solution?

skogl avatar Jun 26 '21 09:06 skogl

To get preemptive HTTP Basic Authentication you can simply add the basic auth header yourself: https://stackoverflow.com/a/57360804/464773.

Alternatively you can use the https://github.com/rburgst/okhttp-digest/blob/master/src/main/java/com/burgstaller/okhttp/AuthenticationCacheInterceptor.java and pre-inject the HTTP Basic Authentication.

As said earlier, this wont work for digest as currently there is no way to pre-authenticate digest authentication.

The only thing that you could do for digest auth is to make a first request directly to a server endpoint that produces a 401.

rburgst avatar Jun 27 '21 06:06 rburgst

Yes, thank you. Before using this package I was adding my own interceptor for basic authentication. The issue I'm having is when a server can handle both anonymous and logged in content and I want to force the logged in content.

I understand what you are saying. I will do some more tests before dropping this entirely.

skogl avatar Jul 07 '21 09:07 skogl

Is this issue Fixed or just Closed (Completed)?

skogl avatar Jul 04 '23 10:07 skogl

As I didn't get any more feedback I closed this ticket.

rburgst avatar Jul 04 '23 17:07 rburgst