Re: Problems with authenticated background downloads involving a 301 redirect
Re: Problems with authenticated background downloads involving a 301 redirect
- Subject: Re: Problems with authenticated background downloads involving a 301 redirect
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Thu, 24 Jul 2014 10:43:01 +0100
On 23 Jul 2014, at 21:56, Scott Hancher <email@hidden> wrote:
> Within the initial request, we add an 'Authorization' header to the request.
This is not something we support in general. Recently I got the following added to our documentation to make this crystal clear:
Important: The NSURLConnection class and NSURLSession classes are
designed to handle various aspects of the HTTP protocol for you. As
a result, you should not modify the following headers:
o Authorization
o Connection
o Host
o WWW-Authenticate
Additionally, if the length of your upload body data can be
determined automatically (for example, if you provide the body
content with an NSData object), then the value of Content-Length is
set for you.
<https://developer.apple.com/library/ios/documentation/Cocoa/Reference/Foundation/Classes/NSMutableURLRequest_Class/Reference/Reference.html#//apple_ref/occ/cl/NSMutableURLRequest>
The way to do authentication in an NSURL{Session,Connection} world is via the authentication challenge mechanism. Unfortunately NSURL{Session,Connection} do not provide public support for OAuth authentication challenges, which is how you got into this mess in the first place.
So:
A. You're using OAuth, and thus can't use authentication challenges, and thus have to mess around with the "Authorization" header.
B. NSURLSession thinks that it owns the "Authorization" header and thus doesn't feel obligated to preserve it across redirects.
C. Background sessions always follow redirects; there's no way to change that behaviour.
Each of these would make a fine bug report in its own right. Please file them as you see fit.
<https://developer.apple.com/bug-reporting/>
Note: If you do file bug reports about this, please post them here just for the record.
* * *
As to a workaround, it's hard to be sure what will work in your context but one option would be:
1. issue the initial request with your "Authorization" header
2. when it fails, get the redirect URL from task.currentRequest
3. use that to re-issue the request with the your "Authorization" header
The problem with doing this in a background session is that you may run afoul of the background session resume rate limiter.
<https://devforums.apple.com/message/938057#938057>
* * *
Alternatively, you could do something like this:
1. issue the initial request in a non-background session, using a UIApplication background task to ensure that your app doesn't get suspended while it's running
2. implement the willPerformHTTPRedirection delegate callback and have it prevent the automatic redirect by calling the completion handler with nil
3. when the request completes you'll have the final URL; use that to re-issue the request in your background session with the correct "Authorization" header
* * *
Finally, you could rework your server-side infrastructure to not rely on redirects or not use OAuth.
Just as an aside, OAuth is problematic for NSURLSession background sessions because the background session might cause the request to be radically delayed, to the point that the token's time limit expires.
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden