Константин Ван
Reputation: 14829
What should I set the “realm” in the “WWW-Authenticate” HTTP header to, for a one-time-password–challenge?
As I understand it, a realm is a protection space within which you can authenticate with the same credential(s).
The challenge my server gives demands a unique un-reusable credential that can be used to authenticate only once (“one-time credential”).
WWW-Authenticate: reCAPTCHA realm=__________
In this case, what do you think the realm should be, a UUID? Or should I not set it at all?
Upvotes: 0
Views: 418
Answers (1)
DaSourcerer
Reputation: 6606
As you correctly point out, the realm is supposed to allow logical separation. Setting it to a UUID is actually a pretty good idea. Leaving it unset, OTOH, would mean no separation at all: all credentials in this case were part of the 'no realm' realm.
Upvotes: 1
Related Questions
- What is the "realm" in basic authentication
- Authentication issues with WWW-Authenticate: Negotiate
- c# Httpclient authorization header without realm
- HTTP 401 - what's an appropriate WWW-Authenticate header value?
- C# HTTPWebRequest against Negotiate/Basic with Realm Site
- Understanding the purpose of "realm" in Basic WWW Authentication
- HTTP Authentication - WWW-Authenticate header - multiple realms
- What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?
- Challenge for realm in HttpUnit
- How to set realm for Basic Authentication Scheme in .Net HTTPListener Google Chrome issue