I have a very simple data providing PHP script that uses basic authentication.
if( !isset( $_SERVER[ 'PHP_AUTH_USER' ] ) ) :
header( 'WWW-Authenticate: Basic realm="My Realm"' );
header( 'HTTP/1.0 401 Unauthorized' );
LOG->error( 'Unauthorized access attempt to basic authentication report', ['reason' => 'Missing PHP_AUTH_USER', 'report' => $_SERVER['SCRIPT_FILENAME']] );
exit;
elseif( !isset( $_SERVER[ 'PHP_AUTH_PW' ] ) ) :
header( 'HTTP/1.0 401 Unauthorized' );
LOG->error( 'Unauthorized access attempt to basic authentication report', ['reason' => 'Missing PHP_AUTH_PW', 'report' => $_SERVER['SCRIPT_FILENAME']] );
exit;
else :
LOG->info( 'authorized request' );
/* do stuff */
endif;
In my logs I see a Unauthorized access attempt to basic authentication report prior to a authorized request if accessed from Excel Power Query.
Is it normal that Excel Power Query attemps a non authorized request before a request with basic authentication?
It's quite reasonable for a client to refuse to present unencrypted credentials to a web server until it demands them by returning a 401 with a 'WWW-Authenticate' header. But I'm not able to replicate this behavior. I built a minimal web API in .NET Core
app.MapGet("/foo", (HttpRequest request) =>
{
var h = request.Headers;
var ah = request.Headers.Authorization;
return Results.Ok(ah);
});
And the basic auth header was presented by Excel when configuring the query and on every refresh.