We're developing a connectivity library for IoT devices. It should support authentication using a variant of RFC 7235 (HTTP Authentication).
From that specification:
"A user agent that wishes to authenticate itself with an origin server can do so by including an Authorization header field with the request."
To implement this feature we are executing (URLRequest's) setValue(..., forHTTPHeaderField: "Authorization") on our requests.
While that seems to work we are worried about this text about "Reserved HTTP headers" (which include the "Authorization" header) in the Apple documentation:
"If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or simply not send it. Moreover, the exact behavior may change over time. To avoid confusing problems like this, do not set these headers directly."
So our approach is wrong?
How should we do this instead?
From that specification:
"A user agent that wishes to authenticate itself with an origin server can do so by including an Authorization header field with the request."
To implement this feature we are executing (URLRequest's) setValue(..., forHTTPHeaderField: "Authorization") on our requests.
While that seems to work we are worried about this text about "Reserved HTTP headers" (which include the "Authorization" header) in the Apple documentation:
"If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or simply not send it. Moreover, the exact behavior may change over time. To avoid confusing problems like this, do not set these headers directly."
So our approach is wrong?
How should we do this instead?