Android OkHttp with Basic Authentication

Question

I'm using the OkHttp library for a new project and am impressed with its ease of use. I now have a need to use Basic Authentication. Unfortunately, there is a dearth of working sample code. I'm seeking an example of how to pass username / password credentials to the OkAuthenticator when an HTTP 401 header is encountered. I viewed this answer:

Retrofit POST request w/ Basic HTTP Authentication: "Cannot retry streamed HTTP body"

but it didn't get me too far. The samples on the OkHttp github repo didn't feature an authentication-based sample either. Does anyone have a gist or other code sample to get me pointed in the right direction? Thanks for your assistance!

Ask for this to be implemented https://github.com/square/okhttp/issues/2143 — pomo, Sep 19 '16 at 07:53

score 117 · Answer 1 · answered Jan 15 '16 at 20:28

Update Code for okhttp3:

import okhttp3.Authenticator;
import okhttp3.Credentials;
import okhttp3.MediaType;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.Route;

public class NetworkUtil {

private final OkHttpClient.Builder client;

{
    client = new OkHttpClient.Builder();
    client.authenticator(new Authenticator() {
        @Override
        public Request authenticate(Route route, Response response) throws IOException {
            if (responseCount(response) >= 3) {
                return null; // If we've failed 3 times, give up. - in real life, never give up!!
            }
            String credential = Credentials.basic("name", "password");
            return response.request().newBuilder().header("Authorization", credential).build();
        }
    });
    client.connectTimeout(10, TimeUnit.SECONDS);
    client.writeTimeout(10, TimeUnit.SECONDS);
    client.readTimeout(30, TimeUnit.SECONDS);
}

private int responseCount(Response response) {
    int result = 1;
    while ((response = response.priorResponse()) != null) {
        result++;
    }
    return result;
}

}

How do you plug this inside a method? I keep getting compiler error: "authenticator in OKHttpClient cannot be applied (anonymous okhttp3.Authenticator)" — Mike6679, Dec 01 '16 at 20:00

score 68 · Answer 2 · answered Mar 17 '16 at 09:26

68

As pointed out by @agamov:

The aforementioned solution has one drawback: httpClient adds authorization headers only after receiving 401 response

@agamov proposed then to "manually" add authentication headers to each request, but there is a better solution: use an Interceptor:

import java.io.IOException;
import okhttp3.Credentials;
import okhttp3.Interceptor;
import okhttp3.Request;
import okhttp3.Response;

public class BasicAuthInterceptor implements Interceptor {

    private String credentials;

    public BasicAuthInterceptor(String user, String password) {
        this.credentials = Credentials.basic(user, password);
    }

    @Override
    public Response intercept(Chain chain) throws IOException {
        Request request = chain.request();
        Request authenticatedRequest = request.newBuilder()
                    .header("Authorization", credentials).build();
        return chain.proceed(authenticatedRequest);
    }

}

Then, simply add the interceptor to an OkHttp client that you will be using to make all your authenticated requests:

OkHttpClient client = new OkHttpClient.Builder()
    .addInterceptor(new BasicAuthInterceptor(username, password))
    .build();

answered Mar 17 '16 at 09:26

Alphaaa

4,206
8
34
43

2

This works perfectly. Exactly what I needed to avoid multiple 401 calls. My API requires all calls to be authenticated. – Hackmodford Aug 10 '16 at 19:44
Is there a kotlin version of this Interceptor? @Alphaaa – stebak Mar 21 '18 at 08:46
@KBJ This interceptor works with OkHttp, which is a Java library. HTTP libraries typically allow to work with interceptors, so if you find one for Kotlin, you can implement something similar to this :) – Alphaaa Mar 21 '18 at 18:28
In my opinion, we can use Interceptor interface if all endpoints require authentication or we have a finite list of endpoints with this requirement. When we don't know which exactly endpoints require authentication we can use Authenticator interface. When we need we can mix this 2 approaches to avoid double requests (401 -> 200) and avoid adding Authorization header in places where we don't need it (security issue). – ultraon Dec 17 '18 at 23:32
This is not the most efficient way to do this. The reason is, the interceptor code will be executed every time we make request to the server. So, this way we will be creating a `request.newBuilder()` eveytime. Where as, authenticator should be added to client only ones. – Shriharsh Pathak Dec 14 '21 at 08:17

score 56 · Answer 3 · answered Jul 16 '14 at 13:34

Here's the updated code:

client.setAuthenticator(new Authenticator() {
  @Override
  public Request authenticate(Proxy proxy, Response response) throws IOException {
    String credential = Credentials.basic("scott", "tiger");
    return response.request().newBuilder().header("Authorization", credential).build();
  }

  @Override
  public Request authenticateProxy(Proxy proxy, Response response) throws IOException {
    return null;
  }
})

score 41 · Accepted Answer · edited May 30 '18 at 11:46

41

Try using OkAuthenticator:

client.setAuthenticator(new OkAuthenticator() {
  @Override public Credential authenticate(
      Proxy proxy, URL url, List<Challenge> challenges) throws IOException {
    return Credential.basic("scott", "tiger");
  }

  @Override public Credential authenticateProxy(
      Proxy proxy, URL url, List<Challenge> challenges) throws IOException {
    return null;
  }
});

UPDATE:

Renamed to Authenticator

edited May 30 '18 at 11:46

Jemshit

9,501
5
69
106

answered Mar 19 '14 at 03:26

Jesse Wilson

39,078
8
121
128

Jesse - Thanks for the prompt answer. I see now I need to implement the OkAuthenticator interface. Oracle fan? – Kerr Mar 19 '14 at 12:43
I've implemented this but I'm still getting "Cannot retry streamed HTTP body" on nearly all requests. Is there another thing to tweak to make this work? Thanks – cottonBallPaws May 20 '14 at 22:25
OkAuthenticator link give a 404 -- http://square.github.io/okhttp/javadoc/com/squareup/okhttp/OkAuthenticator.html – Daniele Segato Jul 08 '14 at 14:18
12

Renamed to [Authenticator](http://square.github.io/okhttp/javadoc/com/squareup/okhttp/Authenticator.html) in OkHttp 2.0. – Jesse Wilson Jul 09 '14 at 05:56
4

New link for [Authenticator](https://square.github.io/okhttp/2.x/okhttp/com/squareup/okhttp/Authenticator.html) – Evan Knowles Feb 17 '16 at 06:54
Can this be used to login to Github and get a token from it? – android developer Nov 16 '19 at 10:23

score 38 · Answer 5 · answered Sep 20 '15 at 18:36

The aforementioned solution has one drawback: httpClient adds authorization headers only after receiving 401 response. Here's how my communication with api-server looked like:

If you need to use basic-auth for every request, better add your auth-headers to each request or use a wrapper method like this:

private Request addBasicAuthHeaders(Request request) {
    final String login = "your_login";
    final String password = "p@s$w0rd";
    String credential = Credentials.basic(login, password);
    return request.newBuilder().header("Authorization", credential).build();
}

Good catch. I wrote an improved answer that builds from yours: http://stackoverflow.com/a/36056355/2091700 — Alphaaa, Mar 17 '16 at 09:27

score 10 · Answer 6 · answered Jan 02 '17 at 06:41

10

Okhttp3 with base 64 auth

String endpoint = "https://www.example.com/m/auth/"
String username = "user123";
String password = "12345";
String credentials = username + ":" + password;

final String basic =
        "Basic " + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
Request request = new Request.Builder()
        .url(endpoint)
        .header("Authorization", basic)
        .build();


OkHttpClient client = SomeUtilFactoryClass.buildOkhttpClient();
client.newCall(request).enqueue(new Callback() {
...

answered Jan 02 '17 at 06:41

s-hunter

24,172
16
88
130

5

`okhttp3.Credentials.basic(user, pass)` does this, so I think it should be preferred (just because it results in less code to mantain). – francesco foresti Mar 20 '17 at 09:08
@francescoforesti According to the doco, that will result in set of challenge/response requests, this is better if you don't want to do that. – Shorn Jul 18 '17 at 04:30
4

@Shorn `okhttp3.Credentials.basic(user, pass)` does not make any requests or changes any behaviour, it simply converts the username and password into a basic auth string. – FrederikNS Aug 22 '17 at 08:15

score 8 · Answer 7 · answered Aug 05 '19 at 14:36

In my case it only worked when I integrated authorization into the header (OkHttp Version 4.0.1):

Request request = new Request.Builder()
    .url("www.url.com/api")
    .addHeader("Authorization", Credentials.basic("username", "password"))
    .build();

Request response = client.newCall(request).execute();

score 6 · Answer 8 · answered Apr 26 '18 at 12:08

6

Someone asked for a Kotlin version of the interceptor. Here is what I came up with and it works great:

        val client = OkHttpClient().newBuilder().addInterceptor { chain ->
        val originalRequest = chain.request()

        val builder = originalRequest.newBuilder()
                .header("Authorization", Credentials.basic("ausername", "apassword"))
        val newRequest = builder.build()
        chain.proceed(newRequest)
    }.build()

answered Apr 26 '18 at 12:08

Rich Gabrielli

73
1
7

It's nice to see new answers keep coming in on my question as languages and techniques evolve. – Kerr Apr 27 '18 at 12:57
Interceptor is the wrong tool to do that! Use Authenticator instead. You will avoid many problems. – Dawid Hyży Mar 13 '19 at 09:30

sea cat · Answer 9 · 2020-06-09T16:25:51.317

In OkHttp3, you set the authorization on the OkHttpClient itself by adding the authenticator() method. After your original call comes back with the 401 response, the authenticator() adds the Authorization header

 new OkHttpClient.Builder()
        .connectTimeout(10000, TimeUnit.MILLISECONDS)
        .readTimeout(10000, TimeUnit.MILLISECONDS)
        .authenticator(new Authenticator() {
           @Nullable
           @Override
           public Request authenticate(@NonNull Route route, @NonNull Response response) {
             if (response.request().header(HttpHeaders.AUTHORIZATION) != null)
               return null;  //if you've tried to authorize and failed, give up

             String credential = Credentials.basic("username", "pass");
             return response.request().newBuilder().header(HttpHeaders.AUTHORIZATION, credential).build();
          }
        })
        .build();

Although it's more secure, if you don't want to spam the server with all the 401 requests in the first place, you can use something called preauthentication, where you send the Authorization header to begin with on your requests

String credentials = Credentials.basic("username", "password");
Request httpRequest = new Request.Builder()
                 .url("some/url")
                 .header("content-type", "application/json") 
                 .header(HttpHeaders.AUTHORIZATION, credentials)
                 .build();

implementation "com.google.guava:guava:20.0" But that value is just the "Authorization" string — sea cat, Nov 11 '21 at 23:41

score 3 · Answer 10 · answered May 10 '17 at 15:40

3

I noticed on Android with some server APIs like django you should add a word in token

Request request = new Request.Builder()
    .url(theUrl)
    .header("Authorization", "Token 6utt8gglitylhylhlfkghriyiuy4fv76876d68")
    .build();

, where that problematic word is that "Token ". Overall you should carefully see rules of those specific server APIs about how to compose requests.

answered May 10 '17 at 15:40

CodeToLife

3,672
2
41
29

Depends on the server and of course the token type, for example a Bearer token value should be something like `Bearer 6utt8gglitylhylhlfkghriyiuy4fv76876d68` – Ahmet Gokdayi Dec 07 '19 at 08:21

Nosov Pavel · Answer 11 · 2017-04-02T12:26:34.987

2

All answers are good but no one said, that for some requests content-type is required, you should add a content-type to your request like this:

Request request = new Request.Builder()
        .url(url)
        .addHeader("content-type", "application/json") 
        .post(body)
        .build();

If you don't add it, you will get Unauthorized message and you will waste a lot of time to fix it.

edited Apr 02 '17 at 12:26

answered Jan 27 '17 at 00:48

Nosov Pavel

1,571
1
18
34

score 0 · Answer 12 · edited Feb 20 '19 at 16:02

This is a snippet for OkHttp Client:

  OkHttpClient client = new OkHttpClient.Builder()
               .authenticator(new Authenticator() {
              @Override public Request authenticate(Route route, Response 
   response) throws IOException {
                   if (response.request().header("Authorization") != null) {
                      return null; // Give up, we've already attempted to 
   authenticate.
                   }

                  System.out.println("Authenticating for response: " + response);
                  System.out.println("Challenges: " + response.challenges());
                   String credential = Credentials.basic(username, password);
                   return response.request().newBuilder()
                           .header("Authorization", credential)
                           .build();
               }
           }) .build();

Do a request now. Basic auth will go as client already has that.

    Request request = new Request.Builder().url(JIRAURI+"/issue/"+key).build();
                client.newCall(request).enqueue(new Callback() {
                    @Override
                   public void onFailure(Call call, IOException e) {
                       System.out.println("onFailure: "+e.toString());
                    }

                @Override
                public void onResponse(Call call, Response response) throws IOException {
                    System.out.println( "onResponse: "+response.body().string());

                }
            });

score 0 · Answer 13 · answered Jun 01 '22 at 16:27

You can try this code for a no frills approach.

    String credentials = username + ":" + password;

    final String basic = "Basic " + 
    java.util.Base64.getEncoder().encodeToString(credentials.getBytes());

    Request request = new Request.Builder().header("Authorization", 
    basic).url(connectString).post(body)

Android OkHttp with Basic Authentication

13 Answers13

Linked