Skip to content

--no-anyauth does not undo --anyauth #17508

New issue
New issue
Closed
Closed
--no-anyauth does not undo --anyauth#17508
Labels
cmdline tool
@dfandrich

Description

@dfandrich
dfandrich
opened on Jun 1, 2025

I did this

The command curl -u user: http://localhost sends an Authorization: Basic ... header to the server. The command curl -u user: --anyauth http://localhost does not, because it first expects to get a 401 code to begin negotiation of the auth method. I would expect the command curl -u user: --anyauth --no-anyauth http://localhost, which adds the --no-anyauth parameter, to undo the --anyauth and cause this command to operate like the first one (and send an Authorization: header), but it does not. It operates exactly the same as the previous command. Setting --basic, which the documentation says is the default behaviour, instead of --no-anyauth, also does nothing to restore the default behaviour.

I expected the following

I would expect --anyauth --no-anyauth and --anyauth --basic to each operate as a no-op, but it appears that once --anyauth is given auth negotiation cannot be disabled. Either curl should undo --anyauth and restore the default behaviour with one of these options, or, failing that, it should return an option is unknown error for --no-anyauth if it actually does nothing. The latter would be unfortunate, because it means if --anyauth is included in a .curlrc file it cannot be disabled.

The documentation for the various auth options is inconsistent. --basic says

This method is the default and this option is usually pointless, unless
you use it to override a previously set option that sets a
different authentication method (such as --ntlm, --digest, or
--negotiate).

which implies it should do what I want and override --anyauth (although, admittedly, it doesn't mention --anyauth by name). The documentation for --digest is different

This option is mutually exclusive with --basic, --ntlm and
--negotiate.

which implies that it's illegal to try to set more than one (curl doesn't stop you from doing it, though).

The --no-X options do appear to do something, though. Using --anyauth --no-digest against a site that is configured to allow Digest auth only, for example, causes curl to not negotiate it and give up after the first request.

curl/libcurl version

curl 8.14.1-DEV

operating system

Linux x86_64

Metadata

Metadata

Assignees

No one assigned

    Labels

    cmdline tool

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions