cURL with both Basic and Bearer authentication headers

Question

I'm using PHP cURL to test an API which sits on a dev site that is protected by Apache HTPASSWD.

$jwt = // a standard JWT token        

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'https://dev.mysite.com/api');
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_USERPWD, 'myuser:mypass');
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json', 'Authorization: Bearer '.$jwt));
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($curl);

However, it seems that setting the HTTPHEADER overrides the Basic authentication needed for HTPASSWD, as the calls return a 401 UNAUTHORIZED.

I have also tried (without success):

curl_setopt($curl, CURLOPT_URL, 'https://myuser:mypass@dev.mysite.com/api');

Is there a way I can include both of these header values in the API call using cURL? Or is there something else I'm doing wrong here?

score 1 · Accepted Answer · edited Oct 07 '21 at 11:04

1

https://www.rfc-editor.org/rfc/rfc6750 says you can use Bearer as

Form-Encoded Body Parameter: Authorization: Bearer mytoken123

URI Query Parameter: access_token=mytoken123

So an option would be to set the token as query param.

edited Oct 07 '21 at 11:04

Community

1
1

answered Nov 19 '19 at 10:44

lvollmer

1,418
2
13
32

1

Thanks for the response. In the end, I've found a preferable solution which is to exclude the API URLs from the HTPASSWD protection altogether: https://serverfault.com/questions/725004/exclusion-of-a-protected-sub-url-does-not-work-on-apache-2-4/ – Tom Nov 19 '19 at 13:35

cURL with both Basic and Bearer authentication headers

1 Answers1