I have a Django Rest Framework api that uses bearer token for authentication behind Nginx reverse proxy. I'm setting up basic authentication to protect the proxy in the development server, but I'm not sure what's the best way to protect the api using both authentication methods. I need two authentication methods, because I'd like only admins to be able to see the api page (even if the private information were only accessible to people with the bearer token). I have read that using multiple values in the Authorization header is not compatible with the spec, so I was thinking that maybe I could switch the header used by Django from Authorization to "Custom-Authorization", but the solution seems hack-ish. I'd rather have an Nginx solution for this (and even use custom header for basic auth if that were possible). What would you recommend?
Asked
Active
Viewed 569 times
1
-
Did you found a solution? Same probleme here – Philipp S. Nov 24 '21 at 11:01
1 Answers
0
You find the answer here: Multiple HTTP Authorization headers?
=> basic authentication and bearer token are sharing the same header. This is basically the reason why it is not working.
Philipp S.
- 827
- 17
- 41
-
Well, yeah, I think that is implied in the question. My current position is that double authentication in the case of an API just isn't necessary, so I kinda erased this problem from my mind. Possible "solutions" / workarounds are still appreciated, nevertheless. – vfinn Nov 25 '21 at 09:21
-
When I wrote "I have read that using multiple values in the Authorization header is not compatible with the spec", I was actually referring to the link you gave =), but thank you. My mistake for not to including the link myself. – vfinn Nov 25 '21 at 09:32