Reputation: 17040
What should WWW-Authenticate contains for a 401 response espeically for a REST API?
If the credential is incorrect or invalid, and if I choose to go with 401, what should the WWW-Authenticate header value be? What should the realm be, especially for REST API?
Most examples I see are WWW-Authenticate: realm="Company website" location="...." but this is more like for browser client.
Upvotes: 1
Views: 4325
Answers (1)
Reputation: 1390
WWW-Authenticate response header includes "challenge" and what the challenge includes is depends on the authentication scheme you use.
If you use Basic Authentication, the challenge includes only a string "Basic" and a realm, such as:
WWW-Authenticate: Basic realm="WallyWorld"
And if you use Digest Authentication, it should includes a string "Digest" and many fields, such as:
WWW-Authenticate: Digest
realm="[email protected]",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
See RFC 7235 for HTTP Authentication schemes and RFC 2617 for Basic and Digest Authentication.
Upvotes: 1
Related Questions
- Authorization in RESTful HTTP API, 401 WWW-Authenticate
- What WWW-Authenticate header should a http server return in a 401 response when using form-based authentication?
- Correct return status code for authentication issues?
- HTTP 401 - what's an appropriate WWW-Authenticate header value?
- HTTP Status Code for Authenticated but Unauthorized?
- HTTP Authorization and WWW-Authenticate headers
- Returning HTTP 401 status for AJAX responses without WWW-Authenticate
- HTTP 401 Unauthorized when not using HTTP basic auth?
- What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?
- RFC2616 : Do I really need to set WWW_Authenticate when returning 401?