Support pre-emptive Proxy Authentication for plaintext (http) requests

[yu1147]

I want to use okhttp to implement --proxy-user so that the header includes Proxy-Authorization. I found that authenticate can achieve this, and it indeed works under HTTPS. However, once I send an HTTP request, like:

Request request = new Request.Builder()
.url("http://httpbin.org/headers") // This service returns the received request headers
.header("saaa", "bbb")
.build();
This header is not automatically added. I looked at the underlying source code and found that createTunnelRequest creates a fakeAuthChallengeResponse, which explains why it appears to be mandatory.

My first question is: Why isn't HTTP designed in the same way?
My second question is: After returning 407, HTTP also includes Proxy-Authorization. Is this interaction defined by a standard?

Thank you for your answer.

[swankjesse]

We need to add an API to specify it. Probably adjacent to the proxy configuration in the OkHttpClient.

[yschimke]

Is there a reason it needs a new API? because of a change in observable behaviour? it seems intentional by the developer based on the existing APIs to support preemptive proxy auth for http requests.

[yu1147]

Hello, currently the proxy may not always return a 407 status code in order to maintain backward compatibility, since there are still some HTTP requests that do not include authentication and must be allowed to pass. However, we would like HTTP to actively include authentication, aligning it with HTTPS, and we want to control this behavior via a toggle switch. Alternatively, is there any existing implementation available for this? Thank you

[yschimke]

I looked at whether a workaround is possible with an interceptor, however I don't believe so, at least in a clean way. I tried returning a fake 407 response in a network interceptor, but that will fail because network interceptors need to make exactly one request.

The normal 407 handling would be in ConnectPlan createTunnel, but I think the RetryAndFollowUpInterceptor followUpRequest also handles this.

So the ugly workaround might be to make the request, but replace the response with a 407 in a network interceptor, which should trigger the proxy auth.

I think that ugly workaround could converted to be a HEAD request for /robots.txt. to avoid any real effect.

[swankjesse]

I think it needs an API for preemptive auth on tunnels. We don't have another hook to collect credentials.