Reputation: 3938
Why does the Rails Authorization header require the format Token token="abc123"
I've tried to google this, but can't find any answers. When using rails, why do I have to send Authorization headers like this
Authorization: Token token=abc123
Why can't I just send one like this
Authorization: abc123
I assume this is just how authenticate_or_request_with_http_token is built. Is there a downside to just writing my own method to grab a naked Authorization header, or is there some security concern I'm not aware of?
Upvotes: 0
Views: 148
Answers (1)
Reputation: 1181
The Token part of the header is the authorisation's scheme type followed by the actual credential rfc1945. Since the RFC doesn't specify a default type, it is important to add it since different web servers might have different defaults and do different things if no scheme type is provided. There are a few useful schemes like bearer tokens and basic auth that look similar, but might be managed differently by the server. authenticate_or_request_with_http_token is just trying to set the scheme type for you, but if you want a different one you can use a gem that implements OAuth2 for example.
Upvotes: 1
Related Questions
- Authorization header in Ruby on Rails accessed with key HTTP_AUTHORIZATION instead of Authorization?
- What's the correct header to use when using API Key based authentication
- How to get bearer token passed through header in rails?
- Get token from request.headers['HTTP_AUTHORIZATION']
- set authentication token in http header
- Rails RestClient pass token in header fails
- Rails security concerns with Authorization token in header for API
- rails-api authentication by header's token
- Pass Authenticity token through http header
- Rails API access_token