What http code should i respond with if I cannot find a user in the database and therefore, cannot authenticate him.
I personally do not like like idea of returning 404.
I would recommend either 401 or 403 .404 is not found which could be also because resource is not available even user is authenticated. Ref Standard Error Code
401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.
Related
If someone tries to visit an internal page which is only accessible once they have logged in, what error code should be returned? 403 doesn't seem right, because they have not authenticated. However, 401 doesn't work either, because that implies they can log in using basic auth, which we are not using.
Is it correct, when authentication is done via a method other than WWW-Authenticate headers, to use 403 in place of 401? If not, what code should be used?
Note: I have found some similar questions to this, but they all seem to be asking about sites using http basic auth, rather than any other authentication method.
The status code 401 does not imply you support basic authentication. It means that the server would not serve the request because appropriate credentials were missing.
The server can send back a WWW-Authenticate header to indicate what types of credentials it supports. If you only support JWT tokens for example, you would send back 'bearer'.
Which status code would you use in this scenario, assuming you're using a token based authentication:
The client has a token and makes a request to the server.
The token expired and the server sends a 401 Unauthorized.
The client sends the refresh token.
The token is invalid and the server responds with XXX?
The use case would be an application, that automatically catches 401's and makes a request with the refresh token. If the server would respond with a 401 if this token is not valid, the client would try to request a new access token with the refresh token forever. But it should tell the client, that it should re-authenticate with its credentials (e.g. email and password).
I was just wondering which status code would be the best fit in this scenario, as the spec says in case of a 403 Forbidden "authorization will not help".
I would not make access and refresh tokens interchangeable: Use Access-Tokens to access protected resources and use Refresh-Token to fetch new Access-Token from a special end-point. OpenID Connect works this way.
You would have one HTTP request more but HTTP codes would not be a problem and, in my opinion, you would get a cleaner code.
I read a lot about using http 403 or http 401 for managing unauthorized requests.
I think that if my application uses one phase authentication then using http 403 is more appropriate. since the http 401 response definition indicates that authentication is required, so if a user is not loggin and he tries to access a page then the application should require a username/password. but if the user is authenticated and the application have only one phase authentication then returning 403 is the right code if the user is not authorized, since even if the user re-type his username and password ,, then nothing will chnage. but if my application requires two phase authentication ,for example to enter a second password then returning http 401 will be more appropriate. so can any one aivce ?
I'm writing a web application which requires a user login. As you might recognise there are many workflows for responding on invalid user credentials. Most browsers are captable of storing (accepted) user credentails in their credential storage.
My original question splits up into two parts:
Which HTTP status code should be send to the user if a site requires a logged in user? I don't mean the situation the user is requesting the login page by herself.
Which HTTP status code should be send to the user if he/she has entered invalid credentials?
HTTP 401 is only for the "old style" authentification via browser prompts I guess. I'm using my own login pages to get rid of those browser prompts.
There are many standards for the authentication. Couple of example you can find here:
http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html
The error code 401 you described is used for the Basic Authentication. It is not old :).
When you use your own login form please follow the standard Form authentication flow:
If a user access a protected resource without an authentication redirect to a login page (HTTP code 302)
Show the login page (HTTP code 200). Submit a user name to a dedicated URL (generally it is j_security_check)
After a successful authentication redirect back to the original protected resource (HTTP code 302)
After a failed authentication show once again to the login page with the error code (HTTP code 200)
If a user access a protected resource after the authentication show the resource (HTTP code 200)
To distinguish between an authenticated and not an authenticated session you can use HTTP cookie.
It is recommended to use GUID and not any user information (e.g. user name).
401 Unauthorized / 407 Proxy Authentication Required are the only status codes that are relevant.
401 Unauthorized should only be presented if you are denying access to any resource - NOT if you are redirecting or presenting them with a login page.
407 is just like 401 except you are expecting auth to be handled by an external service and you expect to be provided with a Proxy-Authenticate header field.
More typically, you are presenting the user with a 200 OK and a login page.
The HttpUnit API for webclient says that "Will only send the authorization header when challenged for the specified realm." What does challenged mean in this case? How does HttpUnit recognize a challenge?
This refers to the way HTTP Authentication works:
When accessing a protected URL (for the first time, with no credentials included in the request), the server will send back a response that has a status code of 401 Unauthorized and a WWW-Authenticate header set to something like Basic realm="My Realm". This indicates that Basic authentication is needed for the given URL and the realm is named 'My Realm'. This is the challenge - the user agent is being informed by the server that the URL it tried to access requires authentication and it should send back the user credentials. The user agent will typically prompt the user for credentials and then retry the request, this time with a Authorization header set to something like Basic rXflcjMwYXxz where the second part is the Base64 encoded username and password pair.
In case of the HttpUnit method you've linked to, you'll see that it requires a realm, username and password. I imagine that when the a URL is accessed, if it gets back a 401 (the challenge) from the server, it'll compare the realm you passed it with the realm in the response; if it matches, it'll attempt to authenticate with the username and password supplied.
References:
RFC entry for 401
Headers for authentication
Basic access authentication
When the server responds with a 401 error, the HttpUnit throws an AuthorizationRequiredException. We can use getParameter("realm") of the exception to get the realm and send a request again with this realm name.