Authorization in RESTful HTTP API, 401 WWW-Authenticate

Question

I\'m creating a RESTful service to provide data to a web application. I have two related questions about this.

1. How to deal with unauthorized requests?

I

Answer 1

To answer your questions:

How to deal with unauthorized requests?

The way you described it is pretty much the recommended way for a RESTful service. As far as I can see there is absolutely nothing wrong with that.

What WWW-Authenticate header should 401 responses supply?

In general the WWW-Authenticate header tells the client what kind of authentication the server will accept. If the client makes an unauthorized request, which means he is sending a request with a missing or invalid Authorization header, the server will use WWW-Authenticate to tell the client what authentication scheme he will accept (i.e. Basic, Digest or OAuth) and for what realm.

Imagine it like some kind of identification question or challenge on the part of the server, i.e. something like "Who are you?" or "Prove who you are by providing credentials in the following way!".

For Example: WWW-Authenticate: Basic realm="My App"

Here the server tells the client that he uses an authentication scheme named Basic. The realm is nothing more than some string that identifies a protected space on the server.

Answer 2

Based on my research (googling) i decided to send: Newauth realm="use login token".

The website http://greenbytes.de/tech/tc/httpauth/#unknown has test cases for different auth methods and i haven't found anything which describes 'get auth token' and therefore i think it is a 'Newauth'.

Also important for me: This doesn't create a login prompt on client side.