Problem with http basic authentication

Can anyone steer me in the right direction for using the HttpClient library to connect to a server that requires basic authentication? The server returns a 401 error (access denied) when I try to connect.

I’m sending an authorization header with my username:password encoded as base 64. The header code looks like this:

http_header_t headers[] = {
    //  { "Content-Type", "application/json" },
    //  { "Accept" , "application/json" },
    { "Authorization", "Basic cxF0cxFbY2g6cxF0bWFbMDY=" },
    { "Accept" , "*/*"},
    { NULL, NULL } // NOTE: Always terminate headers will NULL

So that particular base-64 string does not decode to anything ASCII–are you using an extended character set? Perhaps you just obfuscated your real username password.

This page has an example of the encoding–maybe you could try this user:pass through your flow and may sure you get the same answer.

Yes, I should have mentioned that I changed a few characters in the string to hide the actual username/password pair. I did double check that the string was encoded correctly.

Then I would try running the transaction on a desktop machine or laptop using curl with the verbose flag (-v) or better yet the trace option (–trace tracefile.txt). This will show you exactly what the headers are that work.

Thanks for that suggestion. My bad!! I realized when I tried this with curl that the server does not accept basic authentication. It requires digest authentication, which requires the client to send a different authorization header every time. The httpclient library doesn’t seem to support this. Any suggestions?

I don’t know of any implementation of this in the Arduino or Particle world. In theory it would not be hard to write if you grabbed an MD5 library and just went at it.

MD5 is largely discredited in the crypto world these days so perhaps using an TLS/SSL client would be better, if that is possible. The hard part with TLS/SSL on small micros is the certificate management (and fitting the program in memory) which is simplified if only one host is to be accessed.

SSL isn’t practical for my application but I was able to leverage some digest authentication code from another user’s project. When time permits, I’ll take it a step further and create a general purpose library.

This online tool was very helpful to me for understanding and debugging the necessary response header.

1 Like