willSendRequestForAuthenticationChallenge purpose

Question

I was looking at Box Oauth2.0 View Controller: https://github.com/box/box-ios-sdk-v2/blob/master/BoxSDK/OAuth2/BoxAuthorizationViewController.m

They have the following code:

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{

What is the purpose of including such a code?

Is it neccesary when showing an oauth2.0 flow in webview?

Answer 1

Simply put, this delegate method reflects the "Access Authentication" scheme specified in the HTTP 1.1, especially RFC 2617.

When an unauthenticated client sends a request, the server "challenges" the client by sending a 401 (Unauthorized) response message to the client together with a WWW-Authenticate header in the response. The client then in turn may answer to this particular "challenge" specified in the WWW-Authenticate header with providing suitable credentials and repeating the request.

What a client exactly has to do depends on the kind of challenge and the authorization scheme, and the client requirements. The URL loading scheme already implements a default behavior which is sufficient in many cases, but when the default behavior isn't appropriate you can implement this delegate and tailor it to your specific needs.

IMO, an OAuth client library should implement this delegate. When the client authentication failed, a server may send a HTTP 401 (Unauthorized) status code in its response, including a WWW-Authenticate header field indicating which authentication schemes are supported. (See §5.2. Error Response RFC 6749).

Implementing this delegate method correctly is really an advanced topic, especially since this affects security. So, I strongly suggest to read further material before accidentally disabling HTTPs server trust evaluation, for example. ;)