I'm currently trying to understand some technical implications of using HTTP Basic Auth for an HTTP API sketch.
What I noticed is that both the C# HTTP Web Request as well as wget will - by default - send a request without credentials first, resulting in a 401 from the server and only then send the basic authentication info. (Thanks to SO auto suggestions, it seems browsers do it the same way.)
You can get wget to always send it via --auth-no-challenge but it's not the default.
The HttpWebRequest object will always request a 401 first, unless you manually assemble the authentication header. (Even with the PreAuthentication option.)
Is there a specific reason (in the HTTP spec) for this? It seems weird that these "developer centered tools" will do the authentication dacne when I already specify that I want to to basic auth + user + passwd?
Adding a quote from the (hopefully) relevant RFC2617: (emph. mine)
A user agent that wishes to authenticate itself with an origin
server -- usually, but not necessarily, after receiving a 401
(Unauthorized) -- MAY do so by including an Authorization header field
with the request.
