idnits 2.17.1
draft-ietf-httpbis-p7-auth-26.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document obsoletes RFC2616, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document updates RFC2617, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2617, updated by this document, for
RFC5378 checks: 1997-12-01)
-- The document seems to contain a disclaimer for pre-RFC5378 work, and may
have content which was first submitted before 10 November 2008. The
disclaimer is necessary when there are original authors that you have
been unable to contact, or if some do not wish to grant the BCP78 rights
to the IETF Trust. If you are able to get all authors (current and
original) to grant those rights, you can and should remove the
disclaimer; otherwise, the disclaimer is needed and you can ignore this
comment. (See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (February 6, 2014) is 3732 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC2616' is defined on line 663, but no explicit
reference was found in the text
-- Obsolete informational reference (is this intentional?): RFC 2616
(Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235)
-- Obsolete informational reference (is this intentional?): RFC 2617
(Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
-- Obsolete informational reference (is this intentional?): RFC 5246
(Obsoleted by RFC 8446)
Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTPbis Working Group R. Fielding, Ed.
3 Internet-Draft Adobe
4 Obsoletes: 2616 (if approved) J. Reschke, Ed.
5 Updates: 2617 (if approved) greenbytes
6 Intended status: Standards Track February 6, 2014
7 Expires: August 10, 2014
9 Hypertext Transfer Protocol (HTTP/1.1): Authentication
10 draft-ietf-httpbis-p7-auth-26
12 Abstract
14 The Hypertext Transfer Protocol (HTTP) is a stateless application-
15 level protocol for distributed, collaborative, hypermedia information
16 systems. This document defines the HTTP Authentication framework.
18 Editorial Note (To be removed by RFC Editor)
20 Discussion of this draft takes place on the HTTPBIS working group
21 mailing list (ietf-http-wg@w3.org), which is archived at
22 .
24 The current issues list is at
25 and related
26 documents (including fancy diffs) can be found at
27 .
29 The changes in this draft are summarized in Appendix D.2.
31 Status of This Memo
33 This Internet-Draft is submitted in full conformance with the
34 provisions of BCP 78 and BCP 79.
36 Internet-Drafts are working documents of the Internet Engineering
37 Task Force (IETF). Note that other groups may also distribute
38 working documents as Internet-Drafts. The list of current Internet-
39 Drafts is at http://datatracker.ietf.org/drafts/current/.
41 Internet-Drafts are draft documents valid for a maximum of six months
42 and may be updated, replaced, or obsoleted by other documents at any
43 time. It is inappropriate to use Internet-Drafts as reference
44 material or to cite them other than as "work in progress."
46 This Internet-Draft will expire on August 10, 2014.
48 Copyright Notice
49 Copyright (c) 2014 IETF Trust and the persons identified as the
50 document authors. All rights reserved.
52 This document is subject to BCP 78 and the IETF Trust's Legal
53 Provisions Relating to IETF Documents
54 (http://trustee.ietf.org/license-info) in effect on the date of
55 publication of this document. Please review these documents
56 carefully, as they describe your rights and restrictions with respect
57 to this document. Code Components extracted from this document must
58 include Simplified BSD License text as described in Section 4.e of
59 the Trust Legal Provisions and are provided without warranty as
60 described in the Simplified BSD License.
62 This document may contain material from IETF Documents or IETF
63 Contributions published or made publicly available before November
64 10, 2008. The person(s) controlling the copyright in some of this
65 material may not have granted the IETF Trust the right to allow
66 modifications of such material outside the IETF Standards Process.
67 Without obtaining an adequate license from the person(s) controlling
68 the copyright in such materials, this document may not be modified
69 outside the IETF Standards Process, and derivative works of it may
70 not be created outside the IETF Standards Process, except to format
71 it for publication as an RFC or to translate it into languages other
72 than English.
74 Table of Contents
76 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
77 1.1. Conformance and Error Handling . . . . . . . . . . . . . . 4
78 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4
79 2. Access Authentication Framework . . . . . . . . . . . . . . . 4
80 2.1. Challenge and Response . . . . . . . . . . . . . . . . . . 4
81 2.2. Protection Space (Realm) . . . . . . . . . . . . . . . . . 6
82 3. Status Code Definitions . . . . . . . . . . . . . . . . . . . 7
83 3.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 7
84 3.2. 407 Proxy Authentication Required . . . . . . . . . . . . 7
85 4. Header Field Definitions . . . . . . . . . . . . . . . . . . . 7
86 4.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 8
87 4.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 8
88 4.3. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 9
89 4.4. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 9
90 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
91 5.1. Authentication Scheme Registry . . . . . . . . . . . . . . 10
92 5.1.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 10
93 5.1.2. Considerations for New Authentication Schemes . . . . 10
94 5.2. Status Code Registration . . . . . . . . . . . . . . . . . 12
95 5.3. Header Field Registration . . . . . . . . . . . . . . . . 12
96 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
97 6.1. Confidentiality of Credentials . . . . . . . . . . . . . . 13
98 6.2. Authentication Credentials and Idle Clients . . . . . . . 13
99 6.3. Protection Spaces . . . . . . . . . . . . . . . . . . . . 14
100 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
101 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
102 8.1. Normative References . . . . . . . . . . . . . . . . . . . 14
103 8.2. Informative References . . . . . . . . . . . . . . . . . . 15
104 Appendix A. Changes from RFCs 2616 and 2617 . . . . . . . . . . . 16
105 Appendix B. Imported ABNF . . . . . . . . . . . . . . . . . . . . 16
106 Appendix C. Collected ABNF . . . . . . . . . . . . . . . . . . . 16
107 Appendix D. Change Log (to be removed by RFC Editor before
108 publication) . . . . . . . . . . . . . . . . . . . . 17
109 D.1. Since draft-ietf-httpbis-p7-auth-24 . . . . . . . . . . . 17
110 D.2. Since draft-ietf-httpbis-p7-auth-25 . . . . . . . . . . . 18
111 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
113 1. Introduction
115 HTTP provides a general framework for access control and
116 authentication, via an extensible set of challenge-response
117 authentication schemes, which can be used by a server to challenge a
118 client request and by a client to provide authentication information.
119 This document defines HTTP/1.1 authentication in terms of the
120 architecture defined in [Part1], including the general framework
121 previously described in RFC 2617 and the related fields and status
122 codes previously defined in RFC 2616.
124 The IANA Authentication Scheme Registry (Section 5.1) lists
125 registered authentication schemes and their corresponding
126 specifications, including the "basic" and "digest" authentication
127 schemes previously defined by RFC 2617.
129 1.1. Conformance and Error Handling
131 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
132 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
133 document are to be interpreted as described in [RFC2119].
135 Conformance criteria and considerations regarding error handling are
136 defined in Section 2.5 of [Part1].
138 1.2. Syntax Notation
140 This specification uses the Augmented Backus-Naur Form (ABNF)
141 notation of [RFC5234] with a list extension, defined in Section 7 of
142 [Part1], that allows for compact definition of comma-separated lists
143 using a '#' operator (similar to how the '*' operator indicates
144 repetition). Appendix B describes rules imported from other
145 documents. Appendix C shows the collected grammar with all list
146 operators expanded to standard ABNF notation.
148 2. Access Authentication Framework
150 2.1. Challenge and Response
152 HTTP provides a simple challenge-response authentication framework
153 that can be used by a server to challenge a client request and by a
154 client to provide authentication information. It uses a case-
155 insensitive token as a means to identify the authentication scheme,
156 followed by additional information necessary for achieving
157 authentication via that scheme. The latter can either be a comma-
158 separated list of parameters or a single sequence of characters
159 capable of holding base64-encoded information.
161 Authentication parameters are name=value pairs, where the name token
162 is matched case-insensitively, and each parameter name MUST only
163 occur once per challenge.
165 auth-scheme = token
167 auth-param = token BWS "=" BWS ( token / quoted-string )
169 token68 = 1*( ALPHA / DIGIT /
170 "-" / "." / "_" / "~" / "+" / "/" ) *"="
172 The "token68" syntax allows the 66 unreserved URI characters
173 ([RFC3986]), plus a few others, so that it can hold a base64,
174 base64url (URL and filename safe alphabet), base32, or base16 (hex)
175 encoding, with or without padding, but excluding whitespace
176 ([RFC4648]).
178 A 401 (Unauthorized) response message is used by an origin server to
179 challenge the authorization of a user agent, including a WWW-
180 Authenticate header field containing at least one challenge
181 applicable to the requested resource.
183 A 407 (Proxy Authentication Required) response message is used by a
184 proxy to challenge the authorization of a client, including a Proxy-
185 Authenticate header field containing at least one challenge
186 applicable to the proxy for the requested resource.
188 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
190 Note: Many clients fail to parse a challenge that contains an
191 unknown scheme. A workaround for this problem is to list well-
192 supported schemes (such as "basic") first.
194 A user agent that wishes to authenticate itself with an origin server
195 -- usually, but not necessarily, after receiving a 401 (Unauthorized)
196 -- can do so by including an Authorization header field with the
197 request.
199 A client that wishes to authenticate itself with a proxy -- usually,
200 but not necessarily, after receiving a 407 (Proxy Authentication
201 Required) -- can do so by including a Proxy-Authorization header
202 field with the request.
204 Both the Authorization field value and the Proxy-Authorization field
205 value contain the client's credentials for the realm of the resource
206 being requested, based upon a challenge received in a response
207 (possibly at some point in the past). When creating their values,
208 the user agent ought to do so by selecting the challenge with what it
209 considers to be the most secure auth-scheme that it understands,
210 obtaining credentials from the user as appropriate. Transmission of
211 credentials within header field values implies significant security
212 considerations regarding the confidentiality of the underlying
213 connection, as described in Section 6.1.
215 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
217 Upon receipt of a request for a protected resource that omits
218 credentials, contains invalid credentials (e.g., a bad password) or
219 partial credentials (e.g., when the authentication scheme requires
220 more than one round trip), an origin server SHOULD send a 401
221 (Unauthorized) response that contains a WWW-Authenticate header field
222 with at least one (possibly new) challenge applicable to the
223 requested resource.
225 Likewise, upon receipt of a request that omits proxy credentials or
226 contains invalid or partial proxy credentials, a proxy that requires
227 authentication SHOULD generate a 407 (Proxy Authentication Required)
228 response that contains a Proxy-Authenticate header field with at
229 least one (possibly new) challenge applicable to the proxy.
231 A server that receives valid credentials which are not adequate to
232 gain access ought to respond with the 403 (Forbidden) status code
233 (Section 6.5.3 of [Part2]).
235 HTTP does not restrict applications to this simple challenge-response
236 framework for access authentication. Additional mechanisms can be
237 used, such as authentication at the transport level or via message
238 encapsulation, and with additional header fields specifying
239 authentication information. However, such additional mechanisms are
240 not defined by this specification.
242 2.2. Protection Space (Realm)
244 The "realm" authentication parameter is reserved for use by
245 authentication schemes that wish to indicate a scope of protection.
247 A protection space is defined by the canonical root URI (the scheme
248 and authority components of the effective request URI; see Section
249 5.5 of [Part1]) of the server being accessed, in combination with the
250 realm value if present. These realms allow the protected resources
251 on a server to be partitioned into a set of protection spaces, each
252 with its own authentication scheme and/or authorization database.
253 The realm value is a string, generally assigned by the origin server,
254 which can have additional semantics specific to the authentication
255 scheme. Note that a response can have multiple challenges with the
256 same auth-scheme but different realms.
258 The protection space determines the domain over which credentials can
259 be automatically applied. If a prior request has been authorized,
260 the user agent MAY reuse the same credentials for all other requests
261 within that protection space for a period of time determined by the
262 authentication scheme, parameters, and/or user preferences (such as a
263 configurable inactivity timeout). Unless specifically allowed by the
264 authentication scheme, a single protection space cannot extend
265 outside the scope of its server.
267 For historical reasons, a sender MUST only generate the quoted-string
268 syntax. Recipients might have to support both token and quoted-
269 string syntax for maximum interoperability with existing clients that
270 have been accepting both notations for a long time.
272 3. Status Code Definitions
274 3.1. 401 Unauthorized
276 The 401 (Unauthorized) status code indicates that the request has not
277 been applied because it lacks valid authentication credentials for
278 the target resource. The server generating a 401 response MUST send
279 a WWW-Authenticate header field (Section 4.1) containing at least one
280 challenge applicable to the target resource.
282 If the request included authentication credentials, then the 401
283 response indicates that authorization has been refused for those
284 credentials. The user agent MAY repeat the request with a new or
285 replaced Authorization header field (Section 4.2). If the 401
286 response contains the same challenge as the prior response, and the
287 user agent has already attempted authentication at least once, then
288 the user agent SHOULD present the enclosed representation to the
289 user, since it usually contains relevant diagnostic information.
291 3.2. 407 Proxy Authentication Required
293 The 407 (Proxy Authentication Required) status code is similar to 401
294 (Unauthorized), but indicates that the client needs to authenticate
295 itself in order to use a proxy. The proxy MUST send a Proxy-
296 Authenticate header field (Section 4.3) containing a challenge
297 applicable to that proxy for the target resource. The client MAY
298 repeat the request with a new or replaced Proxy-Authorization header
299 field (Section 4.4).
301 4. Header Field Definitions
303 This section defines the syntax and semantics of header fields
304 related to the HTTP authentication framework.
306 4.1. WWW-Authenticate
308 The "WWW-Authenticate" header field indicates the authentication
309 scheme(s) and parameters applicable to the target resource.
311 WWW-Authenticate = 1#challenge
313 A server generating a 401 (Unauthorized) response MUST send a WWW-
314 Authenticate header field containing at least one challenge. A
315 server MAY generate a WWW-Authenticate header field in other response
316 messages to indicate that supplying credentials (or different
317 credentials) might affect the response.
319 A proxy forwarding a response MUST NOT modify any WWW-Authenticate
320 fields in that response.
322 User agents are advised to take special care in parsing the field
323 value, as it might contain more than one challenge, and each
324 challenge can contain a comma-separated list of authentication
325 parameters. Furthermore, the header field itself can occur multiple
326 times.
328 For instance:
330 WWW-Authenticate: Newauth realm="apps", type=1,
331 title="Login to \"apps\"", Basic realm="simple"
333 This header field contains two challenges; one for the "Newauth"
334 scheme with a realm value of "apps", and two additional parameters
335 "type" and "title", and another one for the "Basic" scheme with a
336 realm value of "simple".
338 Note: The challenge grammar production uses the list syntax as
339 well. Therefore, a sequence of comma, whitespace, and comma can
340 be considered either as applying to the preceding challenge, or to
341 be an empty entry in the list of challenges. In practice, this
342 ambiguity does not affect the semantics of the header field value
343 and thus is harmless.
345 4.2. Authorization
347 The "Authorization" header field allows a user agent to authenticate
348 itself with an origin server -- usually, but not necessarily, after
349 receiving a 401 (Unauthorized) response. Its value consists of
350 credentials containing the authentication information of the user
351 agent for the realm of the resource being requested.
353 Authorization = credentials
355 If a request is authenticated and a realm specified, the same
356 credentials are presumed to be valid for all other requests within
357 this realm (assuming that the authentication scheme itself does not
358 require otherwise, such as credentials that vary according to a
359 challenge value or using synchronized clocks).
361 A proxy forwarding a request MUST NOT modify any Authorization fields
362 in that request. See Section 3.2 of [Part6] for details of and
363 requirements pertaining to handling of the Authorization field by
364 HTTP caches.
366 4.3. Proxy-Authenticate
368 The "Proxy-Authenticate" header field consists of at least one
369 challenge that indicates the authentication scheme(s) and parameters
370 applicable to the proxy for this effective request URI (Section 5.5
371 of [Part1]). A proxy MUST send at least one Proxy-Authenticate
372 header field in each 407 (Proxy Authentication Required) response
373 that it generates.
375 Proxy-Authenticate = 1#challenge
377 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
378 only to the next outbound client on the response chain. This is
379 because only the client that chose a given proxy is likely to have
380 the credentials necessary for authentication. However, when multiple
381 proxies are used within the same administrative domain, such as
382 office and regional caching proxies within a large corporate network,
383 it is common for credentials to be generated by the user agent and
384 passed through the hierarchy until consumed. Hence, in such a
385 configuration, it will appear as if Proxy-Authenticate is being
386 forwarded because each proxy will send the same challenge set.
388 Note that the parsing considerations for WWW-Authenticate apply to
389 this header field as well; see Section 4.1 for details.
391 4.4. Proxy-Authorization
393 The "Proxy-Authorization" header field allows the client to identify
394 itself (or its user) to a proxy that requires authentication. Its
395 value consists of credentials containing the authentication
396 information of the client for the proxy and/or realm of the resource
397 being requested.
399 Proxy-Authorization = credentials
401 Unlike Authorization, the Proxy-Authorization header field applies
402 only to the next inbound proxy that demanded authentication using the
403 Proxy-Authenticate field. When multiple proxies are used in a chain,
404 the Proxy-Authorization header field is consumed by the first inbound
405 proxy that was expecting to receive credentials. A proxy MAY relay
406 the credentials from the client request to the next proxy if that is
407 the mechanism by which the proxies cooperatively authenticate a given
408 request.
410 5. IANA Considerations
412 5.1. Authentication Scheme Registry
414 The HTTP Authentication Scheme Registry defines the name space for
415 the authentication schemes in challenges and credentials. It will be
416 created and maintained at (the suggested URI)
417 .
419 5.1.1. Procedure
421 Registrations MUST include the following fields:
423 o Authentication Scheme Name
425 o Pointer to specification text
427 o Notes (optional)
429 Values to be added to this name space require IETF Review (see
430 [RFC5226], Section 4.1).
432 5.1.2. Considerations for New Authentication Schemes
434 There are certain aspects of the HTTP Authentication Framework that
435 put constraints on how new authentication schemes can work:
437 o HTTP authentication is presumed to be stateless: all of the
438 information necessary to authenticate a request MUST be provided
439 in the request, rather than be dependent on the server remembering
440 prior requests. Authentication based on, or bound to, the
441 underlying connection is outside the scope of this specification
442 and inherently flawed unless steps are taken to ensure that the
443 connection cannot be used by any party other than the
444 authenticated user (see Section 2.3 of [Part1]).
446 o The authentication parameter "realm" is reserved for defining
447 Protection Spaces as defined in Section 2.2. New schemes MUST NOT
448 use it in a way incompatible with that definition.
450 o The "token68" notation was introduced for compatibility with
451 existing authentication schemes and can only be used once per
452 challenge or credential. New schemes thus ought to use the "auth-
453 param" syntax instead, because otherwise future extensions will be
454 impossible.
456 o The parsing of challenges and credentials is defined by this
457 specification, and cannot be modified by new authentication
458 schemes. When the auth-param syntax is used, all parameters ought
459 to support both token and quoted-string syntax, and syntactical
460 constraints ought to be defined on the field value after parsing
461 (i.e., quoted-string processing). This is necessary so that
462 recipients can use a generic parser that applies to all
463 authentication schemes.
465 Note: The fact that the value syntax for the "realm" parameter is
466 restricted to quoted-string was a bad design choice not to be
467 repeated for new parameters.
469 o Definitions of new schemes ought to define the treatment of
470 unknown extension parameters. In general, a "must-ignore" rule is
471 preferable over "must-understand", because otherwise it will be
472 hard to introduce new parameters in the presence of legacy
473 recipients. Furthermore, it's good to describe the policy for
474 defining new parameters (such as "update the specification", or
475 "use this registry").
477 o Authentication schemes need to document whether they are usable in
478 origin-server authentication (i.e., using WWW-Authenticate),
479 and/or proxy authentication (i.e., using Proxy-Authenticate).
481 o The credentials carried in an Authorization header field are
482 specific to the User Agent, and therefore have the same effect on
483 HTTP caches as the "private" Cache-Control response directive
484 (Section 5.2.2.6 of [Part6]), within the scope of the request they
485 appear in.
487 Therefore, new authentication schemes that choose not to carry
488 credentials in the Authorization header field (e.g., using a newly
489 defined header field) will need to explicitly disallow caching, by
490 mandating the use of either Cache-Control request directives
491 (e.g., "no-store", Section 5.2.1.5 of [Part6]) or response
492 directives (e.g., "private").
494 5.2. Status Code Registration
496 The HTTP Status Code Registry located at
497 shall be updated
498 with the registrations below:
500 +-------+-------------------------------+-------------+
501 | Value | Description | Reference |
502 +-------+-------------------------------+-------------+
503 | 401 | Unauthorized | Section 3.1 |
504 | 407 | Proxy Authentication Required | Section 3.2 |
505 +-------+-------------------------------+-------------+
507 5.3. Header Field Registration
509 HTTP header fields are registered within the Message Header Field
510 Registry maintained at .
513 This document defines the following HTTP header fields, so their
514 associated registry entries shall be updated according to the
515 permanent registrations below (see [BCP90]):
517 +---------------------+----------+----------+-------------+
518 | Header Field Name | Protocol | Status | Reference |
519 +---------------------+----------+----------+-------------+
520 | Authorization | http | standard | Section 4.2 |
521 | Proxy-Authenticate | http | standard | Section 4.3 |
522 | Proxy-Authorization | http | standard | Section 4.4 |
523 | WWW-Authenticate | http | standard | Section 4.1 |
524 +---------------------+----------+----------+-------------+
526 The change controller is: "IETF (iesg@ietf.org) - Internet
527 Engineering Task Force".
529 6. Security Considerations
531 This section is meant to inform developers, information providers,
532 and users of known security concerns specific to HTTP authentication.
533 More general security considerations are addressed in HTTP messaging
534 [Part1] and semantics [Part2].
536 Everything about the topic of HTTP authentication is a security
537 consideration, so the list of considerations below is not exhaustive.
538 Furthermore, it is limited to security considerations regarding the
539 authentication framework, in general, rather than discussing all of
540 the potential considerations for specific authentication schemes
541 (which ought to be documented in the specifications that define those
542 schemes). Various organizations maintain topical information and
543 links to current research on Web application security (e.g.,
544 [OWASP]), including common pitfalls for implementing and using the
545 authentication schemes found in practice.
547 6.1. Confidentiality of Credentials
549 The HTTP authentication framework does not define a single mechanism
550 for maintaining the confidentiality of credentials; instead, each
551 authentication scheme defines how the credentials are encoded prior
552 to transmission. While this provides flexibility for the development
553 of future authentication schemes, it is inadequate for the protection
554 of existing schemes that provide no confidentiality on their own, or
555 that do not sufficiently protect against replay attacks.
556 Furthermore, if the server expects credentials that are specific to
557 each individual user, the exchange of those credentials will have the
558 effect of identifying that user even if the content within
559 credentials remains confidential.
561 HTTP depends on the security properties of the underlying transport
562 or session-level connection to provide confidential transmission of
563 header fields. In other words, if a server limits access to
564 authenticated users using this framework, the server needs to ensure
565 that the connection is properly secured in accordance with the nature
566 of the authentication scheme used. For example, services that depend
567 on individual user authentication often require a connection to be
568 secured with TLS ("Transport Layer Security", [RFC5246]) prior to
569 exchanging any credentials.
571 6.2. Authentication Credentials and Idle Clients
573 Existing HTTP clients and user agents typically retain authentication
574 information indefinitely. HTTP does not provide a mechanism for the
575 origin server to direct clients to discard these cached credentials,
576 since the protocol has no awareness of how credentials are obtained
577 or managed by the user agent. The mechanisms for expiring or
578 revoking credentials can be specified as part of an authentication
579 scheme definition.
581 Circumstances under which credential caching can interfere with the
582 application's security model include but are not limited to:
584 o Clients that have been idle for an extended period, following
585 which the server might wish to cause the client to re-prompt the
586 user for credentials.
588 o Applications that include a session termination indication (such
589 as a "logout" or "commit" button on a page) after which the server
590 side of the application "knows" that there is no further reason
591 for the client to retain the credentials.
593 User agents that cache credentials are encouraged to provide a
594 readily accessible mechanism for discarding cached credentials under
595 user control.
597 6.3. Protection Spaces
599 Authentication schemes that solely rely on the "realm" mechanism for
600 establishing a protection space will expose credentials to all
601 resources on an origin server. Clients that have successfully made
602 authenticated requests with a resource can use the same
603 authentication credentials for other resources on the same origin
604 server. This makes it possible for a different resource to harvest
605 authentication credentials for other resources.
607 This is of particular concern when an origin server hosts resources
608 for multiple parties under the same canonical root URI (Section 2.2).
609 Possible mitigation strategies include restricting direct access to
610 authentication credentials (i.e., not making the content of the
611 Authorization request header field available), and separating
612 protection spaces by using a different host name (or port number) for
613 each party.
615 7. Acknowledgments
617 This specification takes over the definition of the HTTP
618 Authentication Framework, previously defined in RFC 2617. We thank
619 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D.
620 Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for
621 their work on that specification. See Section 6 of [RFC2617] for
622 further acknowledgements.
624 See Section 10 of [Part1] for the Acknowledgments related to this
625 document revision.
627 8. References
629 8.1. Normative References
631 [Part1] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
632 Protocol (HTTP/1.1): Message Syntax and Routing",
633 draft-ietf-httpbis-p1-messaging-26 (work in progress),
634 February 2014.
636 [Part2] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
637 Protocol (HTTP/1.1): Semantics and Content",
638 draft-ietf-httpbis-p2-semantics-26 (work in progress),
639 February 2014.
641 [Part6] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
642 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
643 draft-ietf-httpbis-p6-cache-26 (work in progress),
644 February 2014.
646 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
647 Requirement Levels", BCP 14, RFC 2119, March 1997.
649 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
650 Specifications: ABNF", STD 68, RFC 5234, January 2008.
652 8.2. Informative References
654 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration
655 Procedures for Message Header Fields", BCP 90, RFC 3864,
656 September 2004.
658 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web
659 Applications and Web Services", The Open Web Application
660 Security Project (OWASP) 2.0.1, July 2005,
661 .
663 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
664 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
665 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
667 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
668 Leach, P., Luotonen, A., and L. Stewart, "HTTP
669 Authentication: Basic and Digest Access Authentication",
670 RFC 2617, June 1999.
672 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
673 Resource Identifier (URI): Generic Syntax", STD 66,
674 RFC 3986, January 2005.
676 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
677 Encodings", RFC 4648, October 2006.
679 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
680 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
681 May 2008.
683 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
684 (TLS) Protocol Version 1.2", RFC 5246, August 2008.
686 Appendix A. Changes from RFCs 2616 and 2617
688 The framework for HTTP Authentication is now defined by this
689 document, rather than RFC 2617.
691 The "realm" parameter is no longer always required on challenges;
692 consequently, the ABNF allows challenges without any auth parameters.
693 (Section 2)
695 The "token68" alternative to auth-param lists has been added for
696 consistency with legacy authentication schemes such as "Basic".
697 (Section 2)
699 This specification introduces the Authentication Scheme Registry,
700 along with considerations for new authentication schemes.
701 (Section 5.1)
703 Appendix B. Imported ABNF
705 The following core rules are included by reference, as defined in
706 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return),
707 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double
708 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any
709 8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII
710 character).
712 The rules below are defined in [Part1]:
714 BWS =
715 OWS =
716 quoted-string =
717 token =
719 Appendix C. Collected ABNF
721 In the collected ABNF below, list rules are expanded as per Section
722 1.2 of [Part1].
724 Authorization = credentials
726 BWS =
728 OWS =
730 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS
731 challenge ] )
732 Proxy-Authorization = credentials
734 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
735 ] )
737 auth-param = token BWS "=" BWS ( token / quoted-string )
738 auth-scheme = token
740 challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *(
741 OWS "," [ OWS auth-param ] ) ] ) ]
742 credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
743 *( OWS "," [ OWS auth-param ] ) ] ) ]
745 quoted-string =
747 token =
748 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" )
749 *"="
751 Appendix D. Change Log (to be removed by RFC Editor before publication)
753 Changes up to the IETF Last Call draft are summarized in .
756 D.1. Since draft-ietf-httpbis-p7-auth-24
758 Closed issues:
760 o : "SECDIR review
761 of draft-ietf-httpbis-p7-auth-24"
763 o : "APPSDIR
764 review of draft-ietf-httpbis-p7-auth-24"
766 o : "note about
767 WWW-A parsing potentially misleading"
769 D.2. Since draft-ietf-httpbis-p7-auth-25
771 Closed issues:
773 o : "Gen-art
774 review of draft-ietf-httpbis-p7-auth-25"
776 o : "IESG ballot
777 on draft-ietf-httpbis-p7-auth-25"
779 o : "add
780 'stateless' to Abstract"
782 o : "mention TLS
783 vs plain text passwords or dict attacks?"
785 o : "improve
786 introduction of list rule"
788 o : "augment
789 security considerations with pointers to current research"
791 Index
793 4
794 401 Unauthorized (status code) 7
795 407 Proxy Authentication Required (status code) 7
797 A
798 Authorization header field 8
800 C
801 Canonical Root URI 6
803 G
804 Grammar
805 auth-param 5
806 auth-scheme 5
807 Authorization 8
808 challenge 5
809 credentials 6
810 Proxy-Authenticate 9
811 Proxy-Authorization 9
812 token68 5
813 WWW-Authenticate 8
815 P
816 Protection Space 6
817 Proxy-Authenticate header field 9
818 Proxy-Authorization header field 9
820 R
821 Realm 6
823 W
824 WWW-Authenticate header field 8
826 Authors' Addresses
828 Roy T. Fielding (editor)
829 Adobe Systems Incorporated
830 345 Park Ave
831 San Jose, CA 95110
832 USA
834 EMail: fielding@gbiv.com
835 URI: http://roy.gbiv.com/
837 Julian F. Reschke (editor)
838 greenbytes GmbH
839 Hafenweg 16
840 Muenster, NW 48155
841 Germany
843 EMail: julian.reschke@greenbytes.de
844 URI: http://greenbytes.de/tech/webdav/