I need to access a website that requires basic authentication.
I understand how HTTP/S-requests can contain headers, but how does this work for websites? I've tried to pass the basic authentication in the URL, but that doesn't work.
Should I be passing the basic authentication header in JavaScript or something?
Here's what I've tried
https://username:password#website.com/
https://website.com/?authMethod=Basic&authUsername=username&authPassword=password
Related
I have a Django Rest Framework api that uses bearer token for authentication behind Nginx reverse proxy. I'm setting up basic authentication to protect the proxy in the development server, but I'm not sure what's the best way to protect the api using both authentication methods. I need two authentication methods, because I'd like only admins to be able to see the api page (even if the private information were only accessible to people with the bearer token). I have read that using multiple values in the Authorization header is not compatible with the spec, so I was thinking that maybe I could switch the header used by Django from Authorization to "Custom-Authorization", but the solution seems hack-ish. I'd rather have an Nginx solution for this (and even use custom header for basic auth if that were possible). What would you recommend?
You find the answer here: Multiple HTTP Authorization headers?
=> basic authentication and bearer token are sharing the same header. This is basically the reason why it is not working.
I'm writing an application that use woocommerce REST API with Basic authentication. In each request I should add a username and password in base64 encoding. However, each authentication header can i preview in the browser, decode and execute requests from another place which I would not like, of course.
Did I configure apps incorrectly?
I do not understand how it would be safe, since everyone can get the keys from the header.
How to configure this connection correctly?
Maybe should I use JWT auth?
woocommerce-rest-api IS NOT frondend rest api. To be able to use this on the front should be properly adapted ACL. This help me understand
What i'm trying to do is:
Receive username and password via form and authenticate them with IIS using basic authentication.
The thing is, I want to do this without the built in browser popup.
Is there a way to override the popup and authenticate through code?
My website is in ASP.NET and i'm using IIS7.
Thanks to all helpers!
You can put the credentials in the URL. See for instance https://serverfault.com/questions/371907/can-you-pass-user-pass-for-http-basic-authentication-in-url-parameters. Note the remark in that question that it doesn't work in IE.
Basic authentication uses a base64 encoded string containing [username:password] in the http authentication header.
You can simply add this to your request using jQuery's header function before performing the request. But wrong credentials would still cause a pop up.
As the title says,I want to build a App that run in browser with a Single Html page.but how to implement the Authentication.and my solution is:
the server-side is all the RESTful APIs,which can used by multiple Platform,web ,mobile side ,etc.and every API that need auth will be get a token to parse,if the API does not get a token return 401.
cuz my first practise is in the browser,so I need to request for the token to get login,and when the app needs to request the auth-APIs,I will put the token in the header for requesting...
and my questions is : does it safe enough? any other better solution?
No it's not safe enough if the token is accessible through javascript for the same reason that you should set your cookies to http only and restrict to ssl.
If a hacker can inject javascript into your app, it can steal the token and use it from their machine.
For that reason I suggest you use a secure, http only cookie instead of the token when using a website.
If your API is going to be accessed from a native mobile app then you could add a token to each url.
Having a custom header in the http request might cause issues with certain proxies which might not pass all headers through.
A cookie is nothing more than a standardised http header so you might as well reuse that.
What you could also consider using is OAuth if you're going to allow 3rd party apps access to parts of your API.
There is no reason why you could not use cookies for browser based clients and an ApiKey query parameter for other clients.
We're trying to test an API that requires HTTP Basic Access Authentication credentials (http://en.wikipedia.org/wiki/Basic_access_authentication) in the request.
Ideally, we could just test the API using a web browser by putting all API parameters in the URL querystring, but we haven't yet found a way to encode the HTTP Basic Access Authentication credentials (username and password) in the querystring.
Does anyone know a way to do this?
Thus far, we've tried:
https://username:password#mydomain.com/
...without success.
username:password#url authentication has been disabled in many browsers for security reasons.
For example in IE:
Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)
As far as I know, there is no way to circumvent this if this is blocked. It's possible that this can be turned of in Firefox using a setting in about:config. Or use some other browser that doesn't block it - I don't know which ones do and which don't.
Alternatively, consider building a quick web form that submits the option to a server-side language (e.g. PHP) that makes the request, or use a command line client like wget to send the requests. The latter might even be easiest