Handling Authentication Methods Using Linux curl command

curl is a command-line tool for transferring data for different protocols.

Among its wide range of features, one of the most important ones is its ability to handle different types of authentication when communicating with servers.

This tutorial dive deep into the authentication mechanisms used with the curl command on Linux.



Basic Authentication

When using Basic Authentication with curl, you can use the -u option followed by the username:password combination. curl automatically takes care of encoding this data in the correct format.

curl -u username:password http://example.com/resource

The primary risk with Basic Authentication is that the credentials are essentially sent in clear text.

If an attacker intercepts the traffic (especially if it’s not encrypted via HTTPS), they can easily decode the credentials and gain unauthorized access.


Digest Authentication

Instead of sending the username and password in base64 encoded form, Digest Authentication uses a challenge-response mechanism.

  • The server sends a nonce (a one-time number) to the client.
  • The client then creates an MD5 hash using the username, password, nonce, and some other details.
  • This hash is sent back to the server for verification instead of the actual password.
curl --digest -u username:password http://example.com/resource

By using the --digest flag and providing your credentials using the -u option, you instruct curl to handle the Digest Authentication handshake.

Basic vs. Digest Authentication

  • Transmission of Credentials:
    • Basic: Sends credentials in clear text.
    • Digest: Sends an MD5 hash of the credentials and some additional data, which offers more protection.
  • Server Storage:
    • Basic: The server stores passwords in a way that can be used for direct comparison.
    • Digest: The server doesn’t need to store the actual password, just specific details to validate the received hash.
  • Dependency on Secure Transmission:
    • Basic: To be safe, it heavily relies on HTTPS to encrypt the credentials during transmission.
    • Digest: Even over an insecure connection, intercepted data is less useful to attackers due to hashing.
  • Protection against Replay Attacks:
    • Basic: Vulnerable to replay attacks if used over an insecure connection.
    • Digest: The nonce and other attributes make replay attacks more difficult, though not impossible.


Bearer Token Authentication

Bearer Tokens, often just referred to as “tokens,” are a method of authentication where the client sends a token in the request header as proof of authentication.

These tokens are typically generated after a user logs in or authenticates using another method.

To use Bearer Token Authentication with curl, you add an “Authorization” header with the value “Bearer” followed by the actual token.

curl -H "Authorization: Bearer your_token_here" http://example.com/resource

This instructs the server to authenticate the request based on the provided token. If the token is valid, the server grants access to the requested resource.

Token Expiry and Renewal

Most Bearer Tokens are designed to expire after a certain duration for security reasons.

This minimizes potential damage if a token is compromised. Upon expiration, a token must be renewed to continue accessing resources.

Token Renewal

When a token expires, you typically need to re-authenticate or use a refresh token to get a new access token.

The method varies depending on the authentication system in place. With OAuth 2.0, for instance, you can use a refresh token without requiring the user to log in again.

curl -H "Authorization: Bearer refresh_token_here" http://example.com/token/renew


{"access_token": "new_token_value", "expires_in": 3600}

In this example, by sending a request with the refresh token, the server provides a new access token that will be valid for another hour (3,600 seconds).


OAuth 2.0 Authentication

OAuth is an open standard for token-based authentication and authorization on the Internet.

It allows third-party applications to access user data without exposing user credentials. There are two versions of OAuth:

  • OAuth 1.0: An older protocol that relies on complex cryptographic requirements. It’s less used today because of its complexity and several security concerns.
  • OAuth 2.0: A more modern and flexible protocol that uses tokens to grant access. It’s widely adopted due to its simplicity, extensibility, and robustness against several attacks.

OAuth 2.0 simplifies the process, it only requires the client ID, client secret, and some other specific parameters.

curl -X POST http://example.com/oauth/token 
-d 'grant_type=authorization_code&client_id=your_client_id&client_secret=your_client_secret&code=authorization_code_received'


{"access_token": "your_access_token", "token_type": "bearer", "expires_in": 3600, "refresh_token": "your_refresh_token", "scope": "read write"}

This command fetches an access token using the authorization code received after user authorization. The response typically includes the access token, token type, expiry time, refresh token, and scopes.


Certificate-based Authentication

Certificate-based authentication employs asymmetric cryptography where two keys are used: a public key and a private key.

While the public key is freely distributed, the private key remains confidential.

The fundamental concept is that anything encrypted with the public key can only be decrypted with the corresponding private key.

Certificates are digital documents that contain public keys and are signed by a trusted Certificate Authority (CA).

They validate the identity of certificate holders and provide the means for others to trust the information within the certificate.

You can use curl to provide the necessary client certificate and key when a server requires client authentication using certificates:

curl --cert /path/to/client.pem --key /path/to/client.key https://example.com/resource

With the --cert option, you specify the client certificate, and with the --key option, you provide the corresponding private key.

Ensure the private key file is kept secure.

Verifying Server Certificates

To ensure you’re communicating with the intended server and the data exchange is secure, it’s essential to verify the server’s certificate:

curl --cacert /path/to/ca_certificate.pem https://example.com/resource

By using the --cacert option, you provide curl the trusted CA certificate to verify the server’s certificate.

If the server’s certificate is not signed by a trusted CA or if there’s a mismatch, curl will terminate the connection.


Multi-factor Authentication

Multi-factor Authentication (MFA) enhances security by requiring users to provide two or more verification factors to gain access.

When using curl in the context of MFA, things can get tricky, since MFA often involves interactive steps. Here’s how you can handle it.

TOTP with curl

Time-based One-Time Password (TOTP) is a common MFA method. If you have an endpoint that accepts TOTP, you could generate the TOTP code using a tool and then use curl:

curl -u username:password -d "totp_code=YOUR_GENERATED_TOTP" https://example.com/resource

For generating TOTP codes programmatically, tools like oathtool on Linux can be handy.

Using oathtool to Generate TOTP Code

oathtool is a command-line utility for generating and validating One-Time Passwords (OTPs).

First, you’ll need to install oathtool. On a system with apt:

sudo apt-get install oathtool

Once installed, you can generate a TOTP code using your secret key:

oathtool --totp -b YOUR_SECRET_KEY

This will provide a 6-digit TOTP code as output. The -b option ensures the output is in base32.

To combine this with curl in a single command, you could do this:

curl -u username:password -d "totp_code=$(oathtool --totp -b YOUR_SECRET_KEY)" https://example.com/resource

This command first runs the oathtool to generate the TOTP code and then uses it as a parameter in the curl request.

Remember, the secret key used with oathtool should be kept secure. Anyone with access to the key can generate valid OTPs.


Common Authentication Errors

When using curl for accessing web resources that require authentication, you might encounter a range of errors related to authentication.

Here’s a some of common authentication-related errors you might face:

401 Unauthorized

This is the most common error when authentication fails.

curl -u wrongUsername:wrongPassword http://example.com/resource


HTTP/1.1 401 Unauthorized

This typically means the credentials provided are incorrect or don’t have permission to access the resource.

Always double-check the username and password, and ensure you have the correct access rights.

SSL Certificate Errors

If curl can’t verify the server’s SSL certificate, it will throw an error.

curl https://invalid-cert.example.com/resource


curl: (60) SSL certificate problem: self signed certificate

This can occur if the server’s certificate is self-signed, expired, or if there’s a mismatch between the certificate’s domain and the requested domain.

For security reasons, avoid using the -k or --insecure flag with curl, which would bypass this check.

Instead, ensure the server’s certificate is valid or provide the appropriate CA certificate using the --cacert flag.

Missing Authentication Method

If you forget to specify an authentication method or credentials, the server will likely respond with a 401 Unauthorized.

curl http://auth-required.example.com/resource


HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Example"

The WWW-Authenticate header indicates the required authentication method. In this case, it’s expecting Basic authentication.

Rate Limits or Too Many Requests

Some servers implement rate limits on their endpoints. If you send too many requests in a short period, you will be temporarily blocked.

curl http://rate-limited.example.com/resource


HTTP/1.1 429 Too Many Requests

To address this, ensure you adhere to the service’s rate limits, possibly by setting delays between requests or batching requests.

In all these scenarios, the server’s response headers and body often provide additional context about the error, which can be useful for troubleshooting.

Leave a Reply

Your email address will not be published. Required fields are marked *