ADD credentials in DHIS2 url

Hi All,

Please I would like to know if is it possible to add authentification directly in URL

Example: username:password@[dhisUrl]/api/…

Best

Hi Hakim

No, that is not possible and would not be a good idea since your credentials would be visible in the request itself.

You will need to use a basic authentication header for this as described in the manual:

https://docs.dhis2.org/master/en/developer/html/webapi_authentication.html

Regards,

Jason

···

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

ok I see the point of view

thank you jason!

···

2018-06-08 9:35 GMT+00:00 Jason Pickering jason.p.pickering@gmail.com:

Hi Hakim

No, that is not possible and would not be a good idea since your credentials would be visible in the request itself.

You will need to use a basic authentication header for this as described in the manual:

https://docs.dhis2.org/master/en/developer/html/webapi_authentication.html

Regards,

Jason

On Fri, Jun 8, 2018 at 11:19 AM DJIBRIL Hakim djib.hakim@gmail.com wrote:

Hi All,

Please I would like to know if is it possible to add authentification directly in URL

Example: username:password@[dhisUrl]/api/…

Best


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

This is not really a dhis2 thing so much as a change in browser
behaviour. In times gone by when you presented a url like
"https://admin:district@play.dhis2.org/dev/api/me" the browser would
take that url and create the basic authentication header that Jason
refers to.

After a couple of wobbles along the way since 2014, this is no longer
the default behaviour on any of the major browsers. Its really
because URLs find themselves in history, bookmarks, log files etc.
which are not appropriate places to be storing credentials.

(sections 3.2.1 and 7.5 of https://www.ietf.org/rfc/rfc3986.txt)

Chrome held out the longest, but is now also compliant with the new behaviour.

···

On 8 June 2018 at 10:51, DJIBRIL Hakim <djib.hakim@gmail.com> wrote:

ok I see the point of view
thank you jason!

2018-06-08 9:35 GMT+00:00 Jason Pickering <jason.p.pickering@gmail.com>:

Hi Hakim

No, that is not possible and would not be a good idea since your
credentials would be visible in the request itself.
You will need to use a basic authentication header for this as described
in the manual:

https://docs.dhis2.org/master/en/developer/html/webapi_authentication.html

Regards,
Jason

On Fri, Jun 8, 2018 at 11:19 AM DJIBRIL Hakim <djib.hakim@gmail.com> >> wrote:

Hi All,
Please I would like to know if is it possible to add authentification
directly in URL
Example: username:password@[dhisUrl]/api/.....

Best
_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Hi Djibril,

just a note, GET requests / URLs are often cached by intermediary caches/proxies/servers on the web (as per the HTTP spec) so if you do this you should consider your credentials to be public knowledge.

regards,

Lars

···

Lars Helge Øverland

Technical lead, DHIS 2

University of Oslo

lars@dhis2.org

https://www.dhis2.org