How to use HttpWebRequest.Credentials Property for Basic Authentication?

Question

How can I use the Webrequest Credentials Property to send an basic authentication header? Why isn't the Authorization header send with the request even whenPreAuthenticate is set to true?

WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user");
request.Credentials = new NetworkCredential("githubUsername", "githubPassword");
request.PreAuthenticate = true;
var response = request.GetResponse();

Jos Vinke · Accepted Answer · 2014-08-12T07:39:06.387

5

The server should send a HTTP 401 Not Authorized response code containing a WWW-Authenticate HTTP header.

WWW-Authenticate: Basic realm="example"

The PreAuthenticate property only works after authentication has taken place. From MSDN:

true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.

See other answers for more in depth explanation.

edited Aug 12 '14 at 07:39

answered Nov 04 '13 at 21:20

Jos Vinke

2,704
3
26
45

Thanks for that Jos. I am a lot more informed now. – Nov 05 '13 at 17:45

score 4 · Answer 2 · edited May 23 '17 at 11:45

I've done some additional research based on Måns Tånneryd`s answer. And the link he posted in his comment: PreAuthenticate Property of WebRequest - Problem.

First of all as described in his link the HttpWebRequest.PreAuthenticate Property does NOT send the Authentication header PRE authentication, but pre sends it in following requests, after Authentication. From MSDN:

true to send an HTTP Authorization header with requests after authentication has taken place; otherwise, false. The default is false.

So even with the PreAuthenticate property set to true, we still need an WWW-Authenticate challenge with a 401 Unauthorized before anything happens. Now if we try to authenticate against github with the following code:

WebRequest request = (HttpWebRequest)WebRequest.Create("https://api.github.com/user");
request.Credentials = new NetworkCredential("githubUsername", "githubPassword");

var response = request.GetResponse();

An WebException will be thrown, because we don't get a WWW-Authenticate challenge. If we capture this in Fiddler we will get the following:

enter image description here

However if we try this, with the exact same code, against a website that does return a WWW-Authenticate challenge we will see the following in Fiddler:

enter image description here

And the response will have the result as expected.

score 3 · Answer 3 · answered Nov 04 '13 at 10:00

3

I can successfull run this code accessing another server that also requires both SSL and authentication. This server differs from the github in that the github returns a json result saying that it requires authentication and the other server returns a "classic" 401 html page. Sniffing the network you can see that the .net code tries to do anonymous auth even if you do set preauth to true which I think is rather confusing. However, upon receiving a regular 401-page it tries again, and this time with the auth info and everything works. It seems to me though as if .net reacts differently upon receiving the json version of a 401, not making a second try.

I guess this is not the answer you are looking for but hopefully it sheds some more light on the situation.

answered Nov 04 '13 at 10:00

Måns Tånneryd

503
4
9

1

I found both an explanation and a solution at Charles Cooks blog. Explanation is at http://www.cookcomputing.com/blog/archives/000580.html and a solution can be found at http://www.cookcomputing.com/blog/archives/000581.html. – Måns Tånneryd Nov 04 '13 at 10:10
Thanks for your answer, it sheds a nice light on the situation. Also the links you provided are helpful. Tonight I'll take some more time and try if I can successful authenticate against another server. Is the server you tried a public server which I could try to authenticate as well? I still wonder if their is a way to handle the JSON 401 with the Credential Property / to Authenticate Github with it. So I'll leave the question open for now. – Jos Vinke Nov 04 '13 at 11:46
The server I was using is, unfortunately, not public. – Måns Tånneryd Nov 04 '13 at 11:52
Thanks Måns! I got it working and shared some off my findings in another answer and I have marked your answer as accepted. – Jos Vinke Nov 04 '13 at 21:23
Happy to be of assistance. I have stumbled upon this situation before but never taken the time to figure out how come the preauth property wasn't resulting in the behavior I expected and simply accepted that the request round trips twice instead of once. – Måns Tånneryd Nov 05 '13 at 13:12

How to use HttpWebRequest.Credentials Property for Basic Authentication?

3 Answers3

Linked