Add WWW-Authenticate Header on 401 #119
Comments
|
WWW-Authenticate only works for HTTP Basic Authorization, it doesn't make sense with the flows currently supported by Oathkeeper. Also, most clients will be programmatic ones (API) and not browsers accessing HTML websites. |
|
We’re allowing client credentials to be provided using Basic auth for some of our simpler clients and web services. |
|
I see, maybe we could add a configuration setting to enable this for the client_credentials authorizer to enable this. Whalt do you think? |
|
That sounds good! |
|
Perfect then, feel free to create a PR! |
|
I've never written anything in Go, but I'll give it a shot! |
|
I actually have a better idea. Currently there is a mutator that adds the headers. This mutator is applied only in case of a positive response. I would probably create two mutators instead - one for positive response and one for negative. And I would extend the list of values available for the template to include some request-specific ones (host, path, maybe original request headers etc). This would cover a bunch of additional use cases without breaking the concept of being the authorizer for APIs. |
|
That's a good idea! We wanted to have a "deny" strategy but we were not completely sure how to approcha this. Maybe splitting mutators into allow/deny is the way to go! |
Is there any way we can add the WWW-Authenticate header to a 401 response so that a user using a web browser will be prompted for credentials?
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
The text was updated successfully, but these errors were encountered: