Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Problem with DIGEST and multiple authorization headers

From: Daniel Schwarz via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 10 Jul 2017 14:30:15 +0200

As I am not a developer, I am not sure how to do such an API. We use the
Curl as a command line tool and integrated in an open source REST testing
client.

(By the way, the developer of our testing client, which is based on
libcurl, would like to implement the realm aware auth API, as soon as this
is available.)

For the before-hand approach I could envision an API like this:

If useful add a new parameter (bitmask) in option CURLOPT_HTTPAUTH
(alternativly :

CURLAUTH_DIGEST_REALM

HTTP Digest authentication with specific realm(s).

(Alternatively, the realm aware authentication could be set implicitly
when the next parameter is set.)

(New) Option "CURLOPT_REALM"

SYNOPSIS:

CURLcode curl_easy_setopt(CURL *handle, CURLOPT_REALM, char
*authenticationrealm);

EXAMPLE:

CURL *curl = curl_easy_init();
if(curl) {
  CURLcode ret;
  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
  /* set realm aware authentication */
  curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST_REALM );
  curl_easy_setopt(curl, CURLOPT_REALM, "RealmT1" );
  curl_easy_setopt(curl, CURLOPT_USERPWD, "james:bond");
  ret = curl_easy_perform(curl);
}

For the command line I would also suggest an extra option to be able to set
the realm beforehand, which can be used in combination with --digest and
--user for example:

--realm <authentication-realm>

(HTTP) Enables HTTP realm aware Digest authentication. Tells libcurl
upfront which realm(s) are interesting, and have libcurl automatically pick
the first that matches and ignore the rest. Use this in combination with
--digest and the normal -u, --user
<https://curl.haxx.se/docs/manpage.html#-u> options to set the
authentication method as well as user name and password.

What do you think about the approach?

2017-07-07 12:04 GMT+02:00 Daniel Stenberg <daniel_at_haxx.se>:

> On Thu, 22 Jun 2017, Daniel Schwarz via curl-library wrote:
>
> Yes, I agree with you. The round-trip in case of 401s is actually not an
>> efficient way for authentication. Whenever multiple authentication headers
>> come into place, the user should know which realm to use. So we should
>> focus on setting one realm directly. In our use cases we always know the
>> realm before. So it would be completely fine. On client side I would assume
>> to get the option of setting a specific Realm as an authentication
>> parameter. I cannot evaluate how it is best to implement in libcurl. The
>> callback also sounds like a good approach. I could imagine in case of a
>> failed auth due to a differing realm the client could give a more accurate
>> feedback to the user.
>>
>
> So if you got to decide how to do such an API, entirely for your own use
> case, how do you envision it would work?
>
> I've started writing down the background and the current limitations in a
> wiki page:
>
> https://github.com/curl/curl/wiki/Realm-aware-auth-API
>
> ... as you can see, there's no details for the suggested API just yet!
>
> --
>
> / daniel.haxx.se
>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-07-10