Question
BPM Company
NL
Last activity: 24 Nov 2022 7:29 EST
Preemptive Authentication gives guardrail warning
Why does pega give a guardrail warning on using Preemptive Authentication in the Authentication Profile?
I understand it will add the authorization header to the request in stead of using a challenge/response model. But i do not understand why Preemptive Authentication seems to be "bad practise"
See attached screenshot for the warning.
Also when adding Realm and Hostname the warning stays, see second screenshot. I do not understand why.
***Edited by Moderator Marije to add Capability tags***
Masking Technology
NL
Preemptive authentication is used in Basic Authentication. The header of the basic authentication is simply btoa(username:password) that results in a base64 string that is easily decoded.
If you would use this authentication profile over http protocol, everybody can read the credentials. So you're probably using https. But even then, you are not sure whether the connection is safe. It might be that the end point is compromised and returns invalid certificates. Then the connection is not established, but the credentials are already sent to the other party.
So, you should never use preemptive authentication and if you have an influence on the end point, make sure they do not require it to work.