0

I'm trying to redirect to a page that uses basic authentication. The only way I have got it to work so far is by adding username:password@url to the url of the page I'm trying to redirect to, which does not work if the web app is used in an Iframe.

The second method I have tried is the code shown here. In the response I get a status Ok but when trying to redirect to the url return in the response, the page will prompt a basic authentication pop up.

var username = "username";
var password = "password";

var client = new RestClient(url);

client.Timeout = -1;

var request = new RestRequest(Method.GET);
request.UseDefaultCredentials = true;

client.Authenticator = new HttpBasicAuthenticator(username,password);
client.PreAuthenticate = true;

// Have also used the line above instead, they both return status OK
// request.AddHeader("Authorization", "Basic " + svcCredentials)

IRestResponse response = client.Execute(request);

return Redirect(response.ResponseUri.ToString());
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Diogo Silva
  • 3
  • 1
  • 5
  • Do you mean OAUTH authentication? See : https://stackoverflow.com/questions/71019813/how-to-pass-custom-values-to-identityserver4-with-oauth?force_isolation=true#comment125597704_71019813 – jdweng Feb 10 '22 at 17:16
  • Does this answer your question? [Retaining authorization header in RestSharp during redirects](https://stackoverflow.com/questions/53374247/retaining-authorization-header-in-restsharp-during-redirects) – quaabaam Feb 10 '22 at 17:22
  • Thank you for your replies, that does not help because there is a request being made to an API, hence a response will be returned, on my situation Im trying to redirect to a completely different page, that will ask for basic authentication, 1 username and password for everyone (I know there is no security on doing this, but it is not up to me to decide) – Diogo Silva Feb 10 '22 at 17:26
  • Most browsers don't allow you to include credentials in the URL for security reasons. For example, `https://www.google.com/somelongstring@pass:evilbadguys.com/phishing` looks like a valid Google URL to most users. – Richard Deeming Feb 10 '22 at 17:36
  • 1
    And I'm not sure why you'd think that making a request **on the server** with BASIC authentication credentials would have any effect on the request made **on the client**. – Richard Deeming Feb 10 '22 at 17:36
  • @RichardDeeming this is part of a simple web app that will pick some parameters and generate a URL from a SQL Server Report Services server and display a report, and there is no way of removing authentication to access the reports. – Diogo Silva Feb 10 '22 at 19:41
  • Did you ever find a resolution for this? I'm running into the exact same situation. – user3562286 Mar 08 '23 at 20:48

0 Answers0