Basic Authentication in querystring

Ririck · September 27, 2015, 7:04am

I’m trying to pass basic authentication directly in the url like:
http://testuser:testpassword@mywebsite.com/myresource/myparam

The get method has the [Authenticate] attribute on it.
The integration test with AppSelfHostBase and JsonServiceClient that passes username and password works with no problem.
I checked on IIS and Basic Authentication is enabled and it is configured also in the host configuration.

If I try to pass the username and password in the url or I try to put the basic authentication on Postman (headers) I get the unhauthorized 401 error.

mythz · September 27, 2015, 7:46am

HTTP Basic Auth needs to send the Authorization: HTTP Request Header, see: https://en.m.wikipedia.org/wiki/Basic_access_authentication

Ririck · September 27, 2015, 3:53pm

This is what I have done with postman but still getting unauthorised.

mythz · September 27, 2015, 6:07pm

I’m assuming you’ve added the BasicAuthProvider() AuthProvider in AuthFeature right?

If so, can you post the HTTP Request and Response Headers that is being sent using Fiddler?

Ririck · September 27, 2015, 6:58pm

Yes BasicAuthProvider is enabled with :
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[]
{
new BasicAuthProvider(),
})

And this test passes correctly:

 [Test]
        public void TestAuthentication()
        {
	        var UserName = "testuser";
	        var Password = "testpassword";
            var client = new JsonServiceClient(BaseUri)
            {
                UserName = UserName,
                Password = Password
            };
          
            MwInspectionDetailResponse response = client.Get<MwInspectionDetailResponse>(new MwInspectionRequest() { Id = "A18-42N" });
            Console.WriteLine("Tratta:{0}", response.TrattaAutostrada);
            Assert.IsTrue(!string.IsNullOrEmpty(response.TrattaAutostrada));
        }

Here are the Request-Response headers in Fiddler
Request headers:

  GET /api/mwinspections?Id=A18-42N HTTP/1.1
    Host: 10.37.129.5:8085
    Connection: keep-alive
    Accept: application/json
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
    Authorization: Basic dGVzdHVzZXI6dGVzdHBhc3N3b3Jk
    Postman-Token: b7905796-d8f4-08f0-b2d0-b7d56cb7f335
    Accept-Encoding: gzip, deflate, sdch
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
    Cookie: ss-id=EiNnNtOQpM4oAHH8ch93; ss-pid=yZeFrUWDEnPcipucyRGY

Response:

HTTP/1.1 401 Unauthorized
Server: Microsoft-IIS/10.0
WWW-Authenticate: Basic realm="10.37.129.5"
X-Powered-By: ASP.NET
Date: Sun, 27 Sep 2015 18:50:38 GMT
Content-Length: 0

mythz · September 27, 2015, 10:18pm

It should just work the server doesn’t care about which client sends the request just the HTTP Headers sent with the request.

Try deleting the ss-id/ss-pid Cookies, in Fiddler you can drag the Request into the Composer and replay the request, try it without sending existing cookies.

Also note the special support for Authentication in Postman basically it lets you export your authenticated session into a url that you can paste into Postman to copy the Session cookies.