Better support for different authentication methods in NSURLSession

Originator:openradar
Number:rdar://35637645 Date Originated:2017-11-19
Status:Open Resolved:
Product:iOS SDK - Foundation Product Version:11
Classification:Suggestion Reproducible:
 
With the current `NSURLSession` methods it's very easy to implement HTTP Basic and Digest authentication but super-difficult to implement any other authentication method over HTTP. 
The reasons for that are a few:

1. The `urlSession(_, task:, didReceive:, completionHandler: )` method is called for responses that contain the `WWW-Authenticate` header but *only* if that header requests Basic or Digest authentication. It will not be called if it requires any other authentication (e.g. OAuth). 

2. The method above is the only way to automatically let the URL loading system retry a task/request after it failed due to authentication and needs a modified request. As `URLSessionTask` objects are only created via factory methods on `URLSession` they cannot be subclassed and thus when implementing authentication, one needs to create a new task every time. This makes it hard to enhance the existing framework with custom authentication, as all such libraries can not simply return `URLSessionTask` objects but need to wrap them to ensure they can replace the actual task object when it's retried.

3. The completion block of `urlSession(_, task:, didReceive:, completionHandler: )` only accepts a `URLCredential` object. There is no way to customize how that `URLCredential` is encoded in the modified retry-request or to provide a different `Authorization` header. 


Thus, please make the delegate method be called for all responses that contain the `WWW-Authenticate` header and make the `completionHeader` more flexible to allow customizing the `Authorization` header of the retried response. 
More details can be found here: http://blog.cocoafrog.de/2017/11/18/how-nsurlsession-authentication-should-work.html

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!