From cUrl docs:
-u, --user <user:password;options> Specify the user name, password and optional login options to use for server authentication. Overrides -n, --netrc and --netrc-optional. What it gets translated to, meaning how do I catch it on the server to authenticate the user: are they in GET or in POST parameters?
The language is not important, the idea is important.
3 Answers
It all depends on the authentication method but for the most common ones - Basic Auth and Digest Auth, this works with ad hoc HTTP headers. Here's an example with Basic Auth:
curl -u john:pwd This performs a GET request with the corresponding header:
GET /misc HTTP/1.1 Authorization: Basic am9objpwd2Q= User-Agent: curl/7.33.0 Host: foo.com Accept: */* The Authorization header contains the authentication data the server is supposed to parse, base64 decode[1] and use. The same header would be set with a POST request. You can easily test it out with a service like httpbin(1) (see /basic-auth/:user/:passwd endpoint).
Digest auth is a bit more complex but works with HTTP headers too:
- the client first send its request, the server replies with a
401 Unauthorizedincluding aWWW-Authenticateheader with a challenge to solve, - the client solves the challenge and send another request with the response included into a
Authorizationheader which has to be parsed and validated on the server-side.
[1]: base64("john:pwd") -> am9objpwd2Q=
There is an easier way to do. Do it this way
In PHP/nginx, it's available in this array element as a base64 encoded string. It works both on GET and POST (curl -X POST ) methods.
$_SERVER['HTTP_AUTHORIZATION'] Request:
curl -u arun:12345 value in $_SERVER['HTTP_AUTHORIZATION']:
Basic YXJ1bjoxMjM0NQ==