To help everyone avoid confusion, I will reformulate the question in two parts.
First : "how can make an authenticated HTTP request with a browser, using BASIC auth?".
In the browser you can do a http basic auth first by waiting the prompt to come, or by editing the URL if you follow this format: http://myusername:mypassword@somesite.com
NB: the curl command mentionned in the question is perfectly fine, if you have a command-line and curl installed. ;)
References:
Also according to the CURL manual page https://curl.haxx.se/docs/manual.html
HTTP
Curl also supports user and password in HTTP URLs, thus you can pick a file
like:
curl http://name:passwd@machine.domain/full/path/to/file
or specify user and password separately like in
curl -u name:passwd http://machine.domain/full/path/to/file
HTTP offers many different methods of authentication and curl supports
several: Basic, Digest, NTLM and Negotiate (SPNEGO). Without telling which
method to use, curl defaults to Basic. You can also ask curl to pick the
most secure ones out of the ones that the server accepts for the given URL,
by using --anyauth.
NOTE! According to the URL specification, HTTP URLs can not contain a user
and password, so that style will not work when using curl via a proxy, even
though curl allows it at other times. When using a proxy, you _must_ use
the -u style for user and password.
The second and real question is "However, on somesite.com, I'm not getting an authorization prompt at all, just a page that says I'm not authorized. Did somesite not implement the Basic Auth workflow correctly, or is there something else I need to do?"
The curl documentation says the -u
option supports many method of authentication, Basic being the default.
Best bet might be using an API key in the header (e.g. 'Authorization: Token MY_API_KEY') instead of as a url param:
Advantages over HTTP Basic Auth:
- More convenient, as you can easily expire or regenerate tokens without affecting the user's account password.
- If compromised, vulnerability limited to API, not the user's master account
- You can have multiple keys per account (e.g. users can have "test" and "production" keys side by side.)
Advantages over API key in URL:
- Provides extra measure of security by preventing users from inadvertently sharing URLs with their credentials embedded in them. (Also, URL can wind up in things like server logs)
Best Answer
I am assuming Basic authentication here.
You can get your credential through other means (
Import-Clixml
, etc.), but it does have to be a[PSCredential]
object.Edit based on comments:
GitHub is breaking RFC as they explain in the link you provided:
Powershell's
Invoke-WebRequest
does to my knowledge wait for a 401 response before sending the credentials, and since GitHub never provides one, your credentials will never be sent.Manually build the headers
Instead you'll have to create the basic auth headers yourself.
Basic authentication takes a string that consists of the username and password separated by a colon
user:pass
and then sends the Base64 encoded result of that.Code like this should work:
You could combine some of the string concatenation but I wanted to break it out to make it clearer.