Network Working Group R. Van Rein Internet-Draft InternetWide.org Intended status: Standards Track January 24, 2020 Expires: July 27, 2020 User Names for HTTP Resources draft-vanrein-http-unauth-user-02 Abstract Most protocols support users under domain names, but HTTP does not. Usage patterns in the wild do suggest a desire to have this facility. This specification defines a header for user names, orthogonal to any authentication or authorisation concerns. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 27, 2020. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Van Rein Expires July 27, 2020 [Page 1] Internet-Draft HTTP user@ January 2020 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. The HTTP User Header . . . . . . . . . . . . . . . . . . . . 3 3. Protocol Handling of HTTP User . . . . . . . . . . . . . . . 3 4. Caching Behaviour . . . . . . . . . . . . . . . . . . . . . . 3 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 6. Security Considerations . . . . . . . . . . . . . . . . . . . 4 7. Normative References . . . . . . . . . . . . . . . . . . . . 4 Appendix A. HTTP User Environment Variable . . . . . . . . . . . 4 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction Most protocols support Network Access Identifiers [RFC7542] like john@example.com to identify users like john under domains such as example.com. The URI format for HTTP can express [Section 2.7.1 of [RFC7230]] such authority sections, and many online applications seem to want to address individual users, but HTTP URIs do not usually express user names. This specification therefore introduces a header "User", in close parallel to the "Host" header. Historically, user names have been coupled to (Basic and Digest) authentication. This is not generally correct; the user name in the URI indicates a resource name space, not an (authenticating) visitor. By using a new header field, this specification allows authentication to be orthogonal to resource name space selection. Some user agents have supported (Basic and Digest) authentication with a "user:password" format in the authority section of URIs. This has now been deprecated [Section 3.2.1 of [RFC3986]] but the form with just "user" and no ":password" continues to be acceptable. Various HTTP clients have different handling for this form, sometimes flagging it incorrectly as a security hazard, which also motivates a specification for proper handling. TODO: Issue filed with HTTPbis, https://github.com/httpwg/http-core/ issues/278 and offered a Pull Request, https://github.com/httpwg/ http-core/compare/master...arpa2:userinfo-password as a followup of somewhat late Errata against RFC7230, https://www.rfc- editor.org/errata/eid5964 The purpose of this specification is to define clear meaning for HTTP URIs with a user name. Van Rein Expires July 27, 2020 [Page 2] Internet-Draft HTTP user@ January 2020 2. The HTTP User Header The "User" header field provides an aspect of the desired resource name scope. The value is usually taken from the authority section [Section 3.2 of [RFC3986]] of the target URI and MUST NOT include a ":" colon (U+003a) character. The User header value holds precisely one value with the following ABNF grammar: User = 1*( unreserved / pct-encoded / sub-delims ) The referenced non-terminals are as for URIs [RFC3986]. Zeal in the use of the "pct-encoded" non-terminal for plain characters that have a direct representation MAY be treated as an attempted attack. The User header MAY appear in requests and MUST NOT occur in responses. When unrecognised by HTTP servers, the User header is ignored [Section 3.2.1 of [RFC7230]]. Intermediates such as proxies and caches MUST NOT add, remove or modify the User header. 3. Protocol Handling of HTTP User User agents SHOULD render user names in authority sections whenever they render host names, though it may be helpful if it stands out graphically [Section 7.6 of [RFC3986]]. User agents SHOULD NOT remove user names from the target URI. User agents MAY remove the "@" (U+0040) symbol from a URI when the preceding user name is empty. User agents MUST refuse URIs with a ":" colon (U+003a) in the user name but MUST NOT complain about a user name that does not have that character. During redirects or other traversals to (relative) HTTP URIs, the user name MUST be overwritten when the new URI specifies an authority component, and it MUST be kept otherwise. 4. Caching Behaviour The privacy or security of an HTTP resource is not impacted by the use of a User header. This is because User is about resource location, but not about client identity. HTTP caches [RFC7234] need to distinguish requests with different User header values. The Vary header [Section 7.1.4 of [RFC7231]] MUST be present in the matching response, and the header MUST either be a single "*" star (U+002a) or list the "user" name, for all Van Rein Expires July 27, 2020 [Page 3] Internet-Draft HTTP user@ January 2020 responses whose processing was influenced by the User header. This requirement does not apply to software and configurations that ignore the User header. 5. IANA Considerations IANA adds the following entry to the Message Headers registry: Header Field Name Template Protocol Status Reference ------------------ --------- --------- ------- ---------- User http TBD TBD:THIS_SPEC 6. Security Considerations The User header field as defined herein is orthogonal to issues of authentication or authorisation, and adds no security concerns. 7. Normative References [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, . [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014, . [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", RFC 7234, DOI 10.17487/RFC7234, June 2014, . [RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542, DOI 10.17487/RFC7542, May 2015, . Appendix A. HTTP User Environment Variable The following variable SHOULD be passed up to applications on a HTTP server: Van Rein Expires July 27, 2020 [Page 4] Internet-Draft HTTP user@ January 2020 HTTP_USER gives the HTTP User header value after parsing and percent-decoding. Like the customary variables HTTP_HOST and PATH_INFO, this specifies the resource being requested. The HTTP_USER header does not describe the identity of the HTTP client. Author's Address Rick van Rein InternetWide.org Haarlebrink 5 Enschede, Overijssel 7544 WP The Netherlands Email: rick@openfortress.nl Van Rein Expires July 27, 2020 [Page 5]