powerquerybasic-authentication

Basic authentication — two requests from Excel Power Query


I have a very simple data providing PHP script that uses basic authentication.

if( !isset( $_SERVER[ 'PHP_AUTH_USER' ] ) ) :
    header( 'WWW-Authenticate: Basic realm="My Realm"' );
    header( 'HTTP/1.0 401 Unauthorized' );
    LOG->error( 'Unauthorized access attempt to basic authentication report', ['reason' => 'Missing PHP_AUTH_USER', 'report' => $_SERVER['SCRIPT_FILENAME']] );
    exit;
elseif( !isset( $_SERVER[ 'PHP_AUTH_PW' ] ) ) :
    header( 'HTTP/1.0 401 Unauthorized' );
    LOG->error( 'Unauthorized access attempt to basic authentication report', ['reason' => 'Missing PHP_AUTH_PW', 'report' => $_SERVER['SCRIPT_FILENAME']] );
    exit;
else :
    LOG->info( 'authorized request' );

/* do stuff */

endif;

In my logs I see a Unauthorized access attempt to basic authentication report prior to a authorized request if accessed from Excel Power Query.

Is it normal that Excel Power Query attemps a non authorized request before a request with basic authentication?


Solution

  • It's quite reasonable for a client to refuse to present unencrypted credentials to a web server until it demands them by returning a 401 with a 'WWW-Authenticate' header. But I'm not able to replicate this behavior. I built a minimal web API in .NET Core

    app.MapGet("/foo", (HttpRequest request) =>
    {
        var h = request.Headers;
        var ah = request.Headers.Authorization;
        return Results.Ok(ah);
    });
    

    And the basic auth header was presented by Excel when configuring the query and on every refresh.