Skip to content
This issue has been moved to a discussionGo to the discussion

Multiple WWW-Authenticate headers in 401 responses #7328

New issue
New issue
Closed
#9242
Closed
Multiple WWW-Authenticate headers in 401 responses#7328
#9242
@hodossy

Description

@hodossy
hodossy
opened on May 13, 2020

According to MDN and RFC 7235 multiple authentication challanges can be specified by a response.

The current implementation relies on the order of the DEFAULT_AUTHENTICATION_CLASSES settings. Usually the more secure authentication schemes ('Bearer' or 'Token') are placed on top of that list, but those are not handled by the browsers. This means that potentially browser support for authentication is not available in the Browsable API.

My proposal would be to simply add all headers provided by the authentication classes, so even if Basic authentication is not prefered, it still can be used to authenticate in browsers.

What is your view on this? Shall I submit a PR?

Activity

tomchristie
closed this as completedon Mar 8, 2021
encode
locked and limited conversation to collaborators on Mar 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      Participants

      @tomchristie@hodossy

      Issue actions
        Multiple WWW-Authenticate headers in 401 responses · Issue #7328 · encode/django-rest-framework