Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for multiple authentication challenges in WWW-Authenticate header #9242

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

waxlamp
Copy link

@waxlamp waxlamp commented Jan 26, 2024

This adds a setting to enable emitting a comma-separated list of challenges in the WWW-Authenticate header that is returned with a 401 response.

Fixes #7328 and resolves #7812.

@waxlamp waxlamp force-pushed the multiple-www-authenticate branch from cc3a7e2 to 525979e Compare January 29, 2024 18:25
@@ -8,3 +8,4 @@ class RestFrameworkConfig(AppConfig):
def ready(self):
# Add System checks
from .checks import pagination_system_check # NOQA
from .checks import www_authenticate_behavior_setting_check # NOQA
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line necessary? In my local build I was able to trigger the new error without it; I merely copied the pattern from the line above in my PR.

@auvipy
Copy link
Member

auvipy commented Jan 29, 2024

I am not sure what benefit this will provide?

@yarikoptic
Copy link
Contributor

I am not sure what benefit this will provide?

DRF supports having multiple alternative authentication schemes (which is great), but is not announcing that in the 401 WWW-Authenticate response field, which makes it impossible to have a DRF-powered service which would play nicely with clients which follow the standard treatment of WWW-Authenticate header field: they would see only the first available authentication mechanism (e.g. some non-standard "Token") and not some other available and known by then how to handle alternative authentication mechanism. So it then requires client-side knowledge of what particular authentication schemes a given DRF-powered service actually supports.

@waxlamp
Copy link
Author

waxlamp commented Jan 29, 2024

I am not sure what benefit this will provide?

Essentially, the value is in fulfilling the RFC's description of Www-Authenticate in the face of a DRF application that offers multiple authorization schemes, but does not advertise most of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Multiple WWW-Authenticate headers in 401 responses
3 participants