96

I'm working with an API and I have to send a POST request. I know how to set a header (-H) and (-d) is the body, but what is "--user".

If I submit this with Postman, or in a text editor with axios or just regular XMLRequest, where do I add this?

The docs say it is for regular http auth.

curl -X POST -H "Content-Type: application/json" \
     --user "<client_id>:<client_secret>" \
     -d '{"grant_type": "client_credentials", "scope": "public"}' \
     ...
anon
  • 2,143
  • 3
  • 25
  • 37
  • 1
    http://stackoverflow.com/a/27442239/3885376 – ROMANIA_engineer Mar 29 '16 at 18:38
  • 4
    So how would I do this not using curl. Does it go inside of the header object? I've tried setting client_id and client_secret as a key and value in the header. I've tried setting a key as 'Authorization' and the value as : (with the actual id and secret of course). No luck. So how do I use this in a text editor? – anon Mar 29 '16 at 18:41
  • 1
    How to do this without using CURL, indeed. None of these answers answer it. – Andrew Koster Jan 31 '20 at 22:23
  • 5
    4 years on... still a useful question, but nobody has answered it properly, 1) you shouldn't have accepted the substandard answer 2) your comment is an extremely useful part of the question, and should have been an edit. – Greg Woods Feb 14 '20 at 07:30
  • 3
    Jahmic's answer below is a better one – MattPark Sep 23 '20 at 15:33

6 Answers6

120

Late to the party, but here goes...

You can use curl with the -v (verbose) parameter to see the headers sent. You will then see that the information provided with --user is transformed into a header, such as:

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

The text after the Basic keyword is a base64 encoded text string of the username:password combination provided with the --user parameter

To manually generate the base64 encoded credentials on Linux, you can simply call:

echo -n "username:password" | base64 -w0

For windows, save the "username:password" to a file, then use certutil.exe to create a base64 encoded file:

certutil -encode credentials.txt credentials.asc

To test this end to end, you can remove --user username:password and substitute with --header Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l and it will still authenticate just fine.

In summary, to do this manually without curl, you would need to base64 encode username:password combination. You would then need to set the HTTP Authorization header with the type as Basic along with the base64 encoded string.

James John McGuire 'Jahmic'
  • 11,728
  • 11
  • 67
  • 78
  • For any other dumbies like me, remove the double-quotes from `echo -n "username:password"` unless you actually want to include them in your username or password – S.V. Jan 21 '21 at 10:58
  • This answers exactly what the question asked. In Spring OAuth2 security I'm table to get a token for gran type "client_crendentials" using`curl -u ...` to obtain access token and it works with code that is looking for `Authentication: Basic...`, snippet below from, `@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { final boolean debug = this.logger.isDebugEnabled(); String header = request.getHeader("Authorization"); ` – Jose Quijada Feb 09 '21 at 00:31
  • I am puzzled as to why this information not listed under `man --pager='less -p "^ +-u, --user "' curl`? Good answer! – Jonathan Komar May 31 '21 at 05:47
27

--user (or -u) in curl provides a basic auth to your request.

In Postman you can achieve the same result with a choice in Authorization tab.

--user "<client_id>:<client_secret>" becomes

  • Type: Basic Auth
  • Username: client_id
  • Password: client_secret

enter image description here

Davide Pedron
  • 697
  • 1
  • 8
  • 17
26

--user parameter in curl used for server authentication. So if you don't define authentication type via other parameters like --digest or --negotiate, it means USER parameter for http basic authentication, it also could be combined with :PASSWORD chunk to set a password as well. The full answer on your question depends on what kind authentication is used behind API you are sending request to, and maybe curl would not be enough for it, as it support a limited set of authentication schemes ...

Alexey Melezhik
  • 962
  • 9
  • 27
2

Specify the user name and password to use for server authentication. If you simply specify the user name, curl will prompt for a password.

If your curl request does not have any -- user, then server that requires authentication sends back a 401 response code and an associated WWW-Authenticate: header that lists all the authentication methods that the server supports.

< HTTP/1.1 401 
< WWW-Authenticate: Basic realm="oauth2/client"

Then you will know the server is using Basic authentication

You can add --basic to explicitly tell it is Basic authentication

Please refer to HTTP authentication for more information

sendon1982
  • 9,982
  • 61
  • 44
1

Sometimes (depending on server implementation) the --user will negotiate a digest authenticated session. The headers for digest users are a one-time use. I believe a request to the server will first fail with a 401, but include a WWW-Authenticate response, including the digest realm, and the nonce secret. With these, a second request can be made with a new header Authorization value.

example:

Authorization: Digest username="LXAIQKBC", realm="MMS Public API", nonce="rE3sYnLXEhVMbh72JyUK7kfLIb+bAbKj", uri="/api/atlas/v1.0/groups", cnonce="YTVhM4YwMDB3ZjZjMTkxbCNiODA1ODnxZDFjOGMyMzE=", nc=00000001, qop=auth, response="7a5fcb8e4f92a665315bf62cdd87a67d", algorithm="MD5"
barrypicker
  • 9,740
  • 11
  • 65
  • 79
-1

As an addition to Jahmic's answer, Nodejs programmers can do this to convert to base64 string:

const cryptoJS = require("crypto-js");    
const base64Str = cryptoJS.enc.Base64.stringify(cryptoJS.enc.Utf8.parse(`${username}:${password}`))
Cao Shouguang
  • 98
  • 3