Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow comma separated authentication headers #8889

Open
JialeHu opened this issue Feb 27, 2023 · 4 comments
Open

Allow comma separated authentication headers #8889

JialeHu opened this issue Feb 27, 2023 · 4 comments

Comments

@JialeHu
Copy link

JialeHu commented Feb 27, 2023

django-rest-framework/rest_framework/views.py

Line 183 in 3f8ab53

def get_authenticate_header(self, request):

Since WWW-Authenticate allows comma separated challenges https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate#syntax, why not enable that here by returning headers from all authenticators instead of just the first one?
@auvipy
Copy link
Member

auvipy commented Feb 28, 2023

care to share some code snippets?

@kevin-brown
Copy link
Member

I believe the primary reason why this wasn't done was to allow people to disable the WWW-Authenticate response by putting a not supported method first in their list. By returning all of them, they would no longer be able to disable that behaviour.

@JialeHu
Copy link
Author

JialeHu commented Mar 2, 2023

Would it be possible to allow user to disable it thru settings? So that other users can have the option to show the full header

@Ehsan200
Copy link
Contributor

@kevin-brown
I don't understand why this wasn't done and how it is related to the not supported methods. Can you provide me more information?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevin-brown @auvipy @Ehsan200 @JialeHu