What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

Question

The HTTP spec states:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?

Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?

score 26 · Accepted Answer · edited Oct 07 '21 at 05:46

26

According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)

edited Oct 07 '21 at 05:46

Community

1
1

answered Jul 06 '09 at 17:11

Chris Boyle

11,423
7
48
63

2

Updated by [RFC 7235](https://tools.ietf.org/html/rfc7235#section-4.1). – Константин Ван Aug 18 '19 at 13:25

score 3 · Answer 2 · edited Mar 18 '13 at 21:15

3

There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.

edited Mar 18 '13 at 21:15

jpsecher

4,461
2
33
42

answered Jun 02 '09 at 16:39

Andrew Arnott

80,040
26
132
171

What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

2 Answers2

Linked