Hello,
As per section 4.1 of RFC-7235, when an HTTP server returns a 401 response, it must also return a WWW-Authenticate header :
A server generating a 401 (Unauthorized) response MUST send a
WWW-Authenticate header field containing at least one challenge.
However, when the refinitiv server returns 401, it returns the following header :
Authorization: WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length"
This is indeed an "Authorization" header, not a WWW-Authenticate, and it cannot be used to extract the signature challenge in a clean generic way.
As long as this header is returned (in place of "WWW-Authenticate"), the only way of generating a valid Authorization header on the client side is to use preemptive authorization.
This might be fine for code crafted especially to access the refinitiv server, but it won't work for generic code (gateways and/or proxies, etc...). For instance, we use a gateway that handles all authorization computing for different providers, and it cannot process refinitiv queries because of this issue.
Are you aware of this issue, and do you plan to fix this at some point ?
Thanks in advance.