idnits 2.17.1
draft-ietf-httpbis-auth-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document updates RFC2617, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2617, updated by this document, for
RFC5378 checks: 1997-12-01)
-- The document seems to contain a disclaimer for pre-RFC5378 work, and may
have content which was first submitted before 10 November 2008. The
disclaimer is necessary when there are original authors that you have
been unable to contact, or if some do not wish to grant the BCP78 rights
to the IETF Trust. If you are able to get all authors (current and
original) to grant those rights, you can and should remove the
disclaimer; otherwise, the disclaimer is needed and you can ignore this
comment. (See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (April 3, 2018) is 2214 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC7235' is defined on line 683, but no explicit
reference was found in the text
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-cache-00
-- Possible downref: Normative reference to a draft: ref. 'CACHING'
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-messaging-00
-- Possible downref: Normative reference to a draft: ref. 'MESSGNG'
== Outdated reference: A later version (-19) exists of
draft-ietf-httpbis-semantics-00
-- Possible downref: Normative reference to a draft: ref. 'SEMNTCS'
-- Obsolete informational reference (is this intentional?): RFC 2617
(Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
-- Obsolete informational reference (is this intentional?): RFC 5246
(Obsoleted by RFC 8446)
-- Obsolete informational reference (is this intentional?): RFC 7235
(Obsoleted by RFC 9110)
Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 10 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTP Working Group R. Fielding, Ed.
3 Internet-Draft Adobe
4 Obsoletes: 7235 (if approved) M. Nottingham, Ed.
5 Updates: 2617 (if approved) Fastly
6 Intended status: Standards Track J. Reschke, Ed.
7 Expires: October 5, 2018 greenbytes
8 April 3, 2018
10 Hypertext Transfer Protocol (HTTP): Authentication
11 draft-ietf-httpbis-auth-00
13 Abstract
15 The Hypertext Transfer Protocol (HTTP) is a stateless application-
16 level protocol for distributed, collaborative, hypermedia information
17 systems. This document defines the HTTP Authentication framework.
19 This document obsoletes RFC 7235.
21 Editorial Note
23 This note is to be removed before publishing as an RFC.
25 Discussion of this draft takes place on the HTTP working group
26 mailing list (ietf-http-wg@w3.org), which is archived at
27 .
29 Working Group information can be found at ;
30 source code and issues list for this draft can be found at
31 .
33 The changes in this draft are summarized in Appendix D.1.
35 Status of This Memo
37 This Internet-Draft is submitted in full conformance with the
38 provisions of BCP 78 and BCP 79.
40 Internet-Drafts are working documents of the Internet Engineering
41 Task Force (IETF). Note that other groups may also distribute
42 working documents as Internet-Drafts. The list of current Internet-
43 Drafts is at https://datatracker.ietf.org/drafts/current/.
45 Internet-Drafts are draft documents valid for a maximum of six months
46 and may be updated, replaced, or obsoleted by other documents at any
47 time. It is inappropriate to use Internet-Drafts as reference
48 material or to cite them other than as "work in progress."
49 This Internet-Draft will expire on October 5, 2018.
51 Copyright Notice
53 Copyright (c) 2018 IETF Trust and the persons identified as the
54 document authors. All rights reserved.
56 This document is subject to BCP 78 and the IETF Trust's Legal
57 Provisions Relating to IETF Documents
58 (https://trustee.ietf.org/license-info) in effect on the date of
59 publication of this document. Please review these documents
60 carefully, as they describe your rights and restrictions with respect
61 to this document. Code Components extracted from this document must
62 include Simplified BSD License text as described in Section 4.e of
63 the Trust Legal Provisions and are provided without warranty as
64 described in the Simplified BSD License.
66 This document may contain material from IETF Documents or IETF
67 Contributions published or made publicly available before November
68 10, 2008. The person(s) controlling the copyright in some of this
69 material may not have granted the IETF Trust the right to allow
70 modifications of such material outside the IETF Standards Process.
71 Without obtaining an adequate license from the person(s) controlling
72 the copyright in such materials, this document may not be modified
73 outside the IETF Standards Process, and derivative works of it may
74 not be created outside the IETF Standards Process, except to format
75 it for publication as an RFC or to translate it into languages other
76 than English.
78 Table of Contents
80 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
81 1.1. Conformance and Error Handling . . . . . . . . . . . . . 3
82 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4
83 2. Access Authentication Framework . . . . . . . . . . . . . . . 4
84 2.1. Challenge and Response . . . . . . . . . . . . . . . . . 4
85 2.2. Protection Space (Realm) . . . . . . . . . . . . . . . . 6
86 3. Status Code Definitions . . . . . . . . . . . . . . . . . . . 6
87 3.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . 7
88 3.2. 407 Proxy Authentication Required . . . . . . . . . . . . 7
89 4. Header Field Definitions . . . . . . . . . . . . . . . . . . 7
90 4.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . 7
91 4.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 8
92 4.3. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . 9
93 4.4. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 9
94 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
95 5.1. Authentication Scheme Registry . . . . . . . . . . . . . 10
96 5.1.1. Procedure . . . . . . . . . . . . . . . . . . . . . . 10
97 5.1.2. Considerations for New Authentication Schemes . . . . 10
98 5.2. Status Code Registration . . . . . . . . . . . . . . . . 12
99 5.3. Header Field Registration . . . . . . . . . . . . . . . . 12
100 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
101 6.1. Confidentiality of Credentials . . . . . . . . . . . . . 13
102 6.2. Authentication Credentials and Idle Clients . . . . . . . 13
103 6.3. Protection Spaces . . . . . . . . . . . . . . . . . . . . 14
104 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
105 7.1. Normative References . . . . . . . . . . . . . . . . . . 14
106 7.2. Informative References . . . . . . . . . . . . . . . . . 15
107 Appendix A. Changes from RFC 7235 . . . . . . . . . . . . . . . 16
108 Appendix B. Imported ABNF . . . . . . . . . . . . . . . . . . . 16
109 Appendix C. Collected ABNF . . . . . . . . . . . . . . . . . . . 16
110 Appendix D. Change Log . . . . . . . . . . . . . . . . . . . . . 17
111 D.1. Since RFC 7235 . . . . . . . . . . . . . . . . . . . . . 17
112 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
113 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 18
114 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
116 1. Introduction
118 HTTP provides a general framework for access control and
119 authentication, via an extensible set of challenge-response
120 authentication schemes, which can be used by a server to challenge a
121 client request and by a client to provide authentication information.
122 This document defines HTTP/1.1 authentication in terms of the
123 architecture defined in "Hypertext Transfer Protocol (HTTP/1.1):
124 Message Syntax and Routing" [MESSGNG].
126 The IANA Authentication Scheme Registry (Section 5.1) lists
127 registered authentication schemes and their corresponding
128 specifications.
130 This specification obsoletes RFC 7235, with the changes being
131 summarized in Appendix A.
133 1.1. Conformance and Error Handling
135 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
136 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
137 document are to be interpreted as described in [RFC2119].
139 Conformance criteria and considerations regarding error handling are
140 defined in Section 2.5 of [MESSGNG].
142 1.2. Syntax Notation
144 This specification uses the Augmented Backus-Naur Form (ABNF)
145 notation of [RFC5234] with a list extension, defined in Section 7 of
146 [MESSGNG], that allows for compact definition of comma-separated
147 lists using a '#' operator (similar to how the '*' operator indicates
148 repetition). Appendix B describes rules imported from other
149 documents. Appendix C shows the collected grammar with all list
150 operators expanded to standard ABNF notation.
152 2. Access Authentication Framework
154 2.1. Challenge and Response
156 HTTP provides a simple challenge-response authentication framework
157 that can be used by a server to challenge a client request and by a
158 client to provide authentication information. It uses a case-
159 insensitive token as a means to identify the authentication scheme,
160 followed by additional information necessary for achieving
161 authentication via that scheme. The latter can be either a comma-
162 separated list of parameters or a single sequence of characters
163 capable of holding base64-encoded information.
165 Authentication parameters are name=value pairs, where the name token
166 is matched case-insensitively, and each parameter name MUST only
167 occur once per challenge.
169 auth-scheme = token
171 auth-param = token BWS "=" BWS ( token / quoted-string )
173 token68 = 1*( ALPHA / DIGIT /
174 "-" / "." / "_" / "~" / "+" / "/" ) *"="
176 The token68 syntax allows the 66 unreserved URI characters
177 ([RFC3986]), plus a few others, so that it can hold a base64,
178 base64url (URL and filename safe alphabet), base32, or base16 (hex)
179 encoding, with or without padding, but excluding whitespace
180 ([RFC4648]).
182 A 401 (Unauthorized) response message is used by an origin server to
183 challenge the authorization of a user agent, including a WWW-
184 Authenticate header field containing at least one challenge
185 applicable to the requested resource.
187 A 407 (Proxy Authentication Required) response message is used by a
188 proxy to challenge the authorization of a client, including a Proxy-
189 Authenticate header field containing at least one challenge
190 applicable to the proxy for the requested resource.
192 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
194 Note: Many clients fail to parse a challenge that contains an
195 unknown scheme. A workaround for this problem is to list well-
196 supported schemes (such as "basic") first.
198 A user agent that wishes to authenticate itself with an origin server
199 -- usually, but not necessarily, after receiving a 401 (Unauthorized)
200 -- can do so by including an Authorization header field with the
201 request.
203 A client that wishes to authenticate itself with a proxy -- usually,
204 but not necessarily, after receiving a 407 (Proxy Authentication
205 Required) -- can do so by including a Proxy-Authorization header
206 field with the request.
208 Both the Authorization field value and the Proxy-Authorization field
209 value contain the client's credentials for the realm of the resource
210 being requested, based upon a challenge received in a response
211 (possibly at some point in the past). When creating their values,
212 the user agent ought to do so by selecting the challenge with what it
213 considers to be the most secure auth-scheme that it understands,
214 obtaining credentials from the user as appropriate. Transmission of
215 credentials within header field values implies significant security
216 considerations regarding the confidentiality of the underlying
217 connection, as described in Section 6.1.
219 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
221 Upon receipt of a request for a protected resource that omits
222 credentials, contains invalid credentials (e.g., a bad password) or
223 partial credentials (e.g., when the authentication scheme requires
224 more than one round trip), an origin server SHOULD send a 401
225 (Unauthorized) response that contains a WWW-Authenticate header field
226 with at least one (possibly new) challenge applicable to the
227 requested resource.
229 Likewise, upon receipt of a request that omits proxy credentials or
230 contains invalid or partial proxy credentials, a proxy that requires
231 authentication SHOULD generate a 407 (Proxy Authentication Required)
232 response that contains a Proxy-Authenticate header field with at
233 least one (possibly new) challenge applicable to the proxy.
235 A server that receives valid credentials that are not adequate to
236 gain access ought to respond with the 403 (Forbidden) status code
237 (Section 6.5.3 of [SEMNTCS]).
239 HTTP does not restrict applications to this simple challenge-response
240 framework for access authentication. Additional mechanisms can be
241 used, such as authentication at the transport level or via message
242 encapsulation, and with additional header fields specifying
243 authentication information. However, such additional mechanisms are
244 not defined by this specification.
246 2.2. Protection Space (Realm)
248 The "realm" authentication parameter is reserved for use by
249 authentication schemes that wish to indicate a scope of protection.
251 A protection space is defined by the canonical root URI (the scheme
252 and authority components of the effective request URI; see
253 Section 5.5 of [MESSGNG]) of the server being accessed, in
254 combination with the realm value if present. These realms allow the
255 protected resources on a server to be partitioned into a set of
256 protection spaces, each with its own authentication scheme and/or
257 authorization database. The realm value is a string, generally
258 assigned by the origin server, that can have additional semantics
259 specific to the authentication scheme. Note that a response can have
260 multiple challenges with the same auth-scheme but with different
261 realms.
263 The protection space determines the domain over which credentials can
264 be automatically applied. If a prior request has been authorized,
265 the user agent MAY reuse the same credentials for all other requests
266 within that protection space for a period of time determined by the
267 authentication scheme, parameters, and/or user preferences (such as a
268 configurable inactivity timeout). Unless specifically allowed by the
269 authentication scheme, a single protection space cannot extend
270 outside the scope of its server.
272 For historical reasons, a sender MUST only generate the quoted-string
273 syntax. Recipients might have to support both token and quoted-
274 string syntax for maximum interoperability with existing clients that
275 have been accepting both notations for a long time.
277 3. Status Code Definitions
278 3.1. 401 Unauthorized
280 The 401 (Unauthorized) status code indicates that the request has not
281 been applied because it lacks valid authentication credentials for
282 the target resource. The server generating a 401 response MUST send
283 a WWW-Authenticate header field (Section 4.1) containing at least one
284 challenge applicable to the target resource.
286 If the request included authentication credentials, then the 401
287 response indicates that authorization has been refused for those
288 credentials. The user agent MAY repeat the request with a new or
289 replaced Authorization header field (Section 4.2). If the 401
290 response contains the same challenge as the prior response, and the
291 user agent has already attempted authentication at least once, then
292 the user agent SHOULD present the enclosed representation to the
293 user, since it usually contains relevant diagnostic information.
295 3.2. 407 Proxy Authentication Required
297 The 407 (Proxy Authentication Required) status code is similar to 401
298 (Unauthorized), but it indicates that the client needs to
299 authenticate itself in order to use a proxy. The proxy MUST send a
300 Proxy-Authenticate header field (Section 4.3) containing a challenge
301 applicable to that proxy for the target resource. The client MAY
302 repeat the request with a new or replaced Proxy-Authorization header
303 field (Section 4.4).
305 4. Header Field Definitions
307 This section defines the syntax and semantics of header fields
308 related to the HTTP authentication framework.
310 4.1. WWW-Authenticate
312 The "WWW-Authenticate" header field indicates the authentication
313 scheme(s) and parameters applicable to the target resource.
315 WWW-Authenticate = 1#challenge
317 A server generating a 401 (Unauthorized) response MUST send a WWW-
318 Authenticate header field containing at least one challenge. A
319 server MAY generate a WWW-Authenticate header field in other response
320 messages to indicate that supplying credentials (or different
321 credentials) might affect the response.
323 A proxy forwarding a response MUST NOT modify any WWW-Authenticate
324 fields in that response.
326 User agents are advised to take special care in parsing the field
327 value, as it might contain more than one challenge, and each
328 challenge can contain a comma-separated list of authentication
329 parameters. Furthermore, the header field itself can occur multiple
330 times.
332 For instance:
334 WWW-Authenticate: Newauth realm="apps", type=1,
335 title="Login to \"apps\"", Basic realm="simple"
337 This header field contains two challenges; one for the "Newauth"
338 scheme with a realm value of "apps", and two additional parameters
339 "type" and "title", and another one for the "Basic" scheme with a
340 realm value of "simple".
342 Note: The challenge grammar production uses the list syntax as
343 well. Therefore, a sequence of comma, whitespace, and comma can
344 be considered either as applying to the preceding challenge, or to
345 be an empty entry in the list of challenges. In practice, this
346 ambiguity does not affect the semantics of the header field value
347 and thus is harmless.
349 4.2. Authorization
351 The "Authorization" header field allows a user agent to authenticate
352 itself with an origin server -- usually, but not necessarily, after
353 receiving a 401 (Unauthorized) response. Its value consists of
354 credentials containing the authentication information of the user
355 agent for the realm of the resource being requested.
357 Authorization = credentials
359 If a request is authenticated and a realm specified, the same
360 credentials are presumed to be valid for all other requests within
361 this realm (assuming that the authentication scheme itself does not
362 require otherwise, such as credentials that vary according to a
363 challenge value or using synchronized clocks).
365 A proxy forwarding a request MUST NOT modify any Authorization fields
366 in that request. See Section 3.2 of [CACHING] for details of and
367 requirements pertaining to handling of the Authorization field by
368 HTTP caches.
370 4.3. Proxy-Authenticate
372 The "Proxy-Authenticate" header field consists of at least one
373 challenge that indicates the authentication scheme(s) and parameters
374 applicable to the proxy for this effective request URI (Section 5.5
375 of [MESSGNG]). A proxy MUST send at least one Proxy-Authenticate
376 header field in each 407 (Proxy Authentication Required) response
377 that it generates.
379 Proxy-Authenticate = 1#challenge
381 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
382 only to the next outbound client on the response chain. This is
383 because only the client that chose a given proxy is likely to have
384 the credentials necessary for authentication. However, when multiple
385 proxies are used within the same administrative domain, such as
386 office and regional caching proxies within a large corporate network,
387 it is common for credentials to be generated by the user agent and
388 passed through the hierarchy until consumed. Hence, in such a
389 configuration, it will appear as if Proxy-Authenticate is being
390 forwarded because each proxy will send the same challenge set.
392 Note that the parsing considerations for WWW-Authenticate apply to
393 this header field as well; see Section 4.1 for details.
395 4.4. Proxy-Authorization
397 The "Proxy-Authorization" header field allows the client to identify
398 itself (or its user) to a proxy that requires authentication. Its
399 value consists of credentials containing the authentication
400 information of the client for the proxy and/or realm of the resource
401 being requested.
403 Proxy-Authorization = credentials
405 Unlike Authorization, the Proxy-Authorization header field applies
406 only to the next inbound proxy that demanded authentication using the
407 Proxy-Authenticate field. When multiple proxies are used in a chain,
408 the Proxy-Authorization header field is consumed by the first inbound
409 proxy that was expecting to receive credentials. A proxy MAY relay
410 the credentials from the client request to the next proxy if that is
411 the mechanism by which the proxies cooperatively authenticate a given
412 request.
414 5. IANA Considerations
416 5.1. Authentication Scheme Registry
418 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme
419 Registry" defines the namespace for the authentication schemes in
420 challenges and credentials. It has been created and is now
421 maintained at .
423 5.1.1. Procedure
425 Registrations MUST include the following fields:
427 o Authentication Scheme Name
429 o Pointer to specification text
431 o Notes (optional)
433 Values to be added to this namespace require IETF Review (see
434 [RFC5226], Section 4.1).
436 5.1.2. Considerations for New Authentication Schemes
438 There are certain aspects of the HTTP Authentication Framework that
439 put constraints on how new authentication schemes can work:
441 o HTTP authentication is presumed to be stateless: all of the
442 information necessary to authenticate a request MUST be provided
443 in the request, rather than be dependent on the server remembering
444 prior requests. Authentication based on, or bound to, the
445 underlying connection is outside the scope of this specification
446 and inherently flawed unless steps are taken to ensure that the
447 connection cannot be used by any party other than the
448 authenticated user (see Section 2.3 of [MESSGNG]).
450 o The authentication parameter "realm" is reserved for defining
451 protection spaces as described in Section 2.2. New schemes MUST
452 NOT use it in a way incompatible with that definition.
454 o The "token68" notation was introduced for compatibility with
455 existing authentication schemes and can only be used once per
456 challenge or credential. Thus, new schemes ought to use the auth-
457 param syntax instead, because otherwise future extensions will be
458 impossible.
460 o The parsing of challenges and credentials is defined by this
461 specification and cannot be modified by new authentication
462 schemes. When the auth-param syntax is used, all parameters ought
463 to support both token and quoted-string syntax, and syntactical
464 constraints ought to be defined on the field value after parsing
465 (i.e., quoted-string processing). This is necessary so that
466 recipients can use a generic parser that applies to all
467 authentication schemes.
469 Note: The fact that the value syntax for the "realm" parameter is
470 restricted to quoted-string was a bad design choice not to be
471 repeated for new parameters.
473 o Definitions of new schemes ought to define the treatment of
474 unknown extension parameters. In general, a "must-ignore" rule is
475 preferable to a "must-understand" rule, because otherwise it will
476 be hard to introduce new parameters in the presence of legacy
477 recipients. Furthermore, it's good to describe the policy for
478 defining new parameters (such as "update the specification" or
479 "use this registry").
481 o Authentication schemes need to document whether they are usable in
482 origin-server authentication (i.e., using WWW-Authenticate), and/
483 or proxy authentication (i.e., using Proxy-Authenticate).
485 o The credentials carried in an Authorization header field are
486 specific to the user agent and, therefore, have the same effect on
487 HTTP caches as the "private" Cache-Control response directive
488 (Section 5.2.2.6 of [CACHING]), within the scope of the request in
489 which they appear.
491 Therefore, new authentication schemes that choose not to carry
492 credentials in the Authorization header field (e.g., using a newly
493 defined header field) will need to explicitly disallow caching, by
494 mandating the use of either Cache-Control request directives
495 (e.g., "no-store", Section 5.2.1.5 of [CACHING]) or response
496 directives (e.g., "private").
498 5.2. Status Code Registration
500 The "Hypertext Transfer Protocol (HTTP) Status Code Registry" located
501 at has been
502 updated with the registrations below:
504 +-------+-------------------------------+--------------+
505 | Value | Description | Reference |
506 +-------+-------------------------------+--------------+
507 | 401 | Unauthorized | Section 3.1 |
508 | 407 | Proxy Authentication Required | Section 3.2 |
509 +-------+-------------------------------+--------------+
511 5.3. Header Field Registration
513 HTTP header fields are registered within the "Message Headers"
514 registry maintained at .
517 This document defines the following HTTP header fields, so the
518 "Permanent Message Header Field Names" registry has been updated
519 accordingly (see [BCP90]).
521 +---------------------+----------+----------+--------------+
522 | Header Field Name | Protocol | Status | Reference |
523 +---------------------+----------+----------+--------------+
524 | Authorization | http | standard | Section 4.2 |
525 | Proxy-Authenticate | http | standard | Section 4.3 |
526 | Proxy-Authorization | http | standard | Section 4.4 |
527 | WWW-Authenticate | http | standard | Section 4.1 |
528 +---------------------+----------+----------+--------------+
530 The change controller is: "IETF (iesg@ietf.org) - Internet
531 Engineering Task Force".
533 6. Security Considerations
535 This section is meant to inform developers, information providers,
536 and users of known security concerns specific to HTTP authentication.
537 More general security considerations are addressed in HTTP messaging
538 [MESSGNG] and semantics [SEMNTCS].
540 Everything about the topic of HTTP authentication is a security
541 consideration, so the list of considerations below is not exhaustive.
542 Furthermore, it is limited to security considerations regarding the
543 authentication framework, in general, rather than discussing all of
544 the potential considerations for specific authentication schemes
545 (which ought to be documented in the specifications that define those
546 schemes). Various organizations maintain topical information and
547 links to current research on Web application security (e.g.,
548 [OWASP]), including common pitfalls for implementing and using the
549 authentication schemes found in practice.
551 6.1. Confidentiality of Credentials
553 The HTTP authentication framework does not define a single mechanism
554 for maintaining the confidentiality of credentials; instead, each
555 authentication scheme defines how the credentials are encoded prior
556 to transmission. While this provides flexibility for the development
557 of future authentication schemes, it is inadequate for the protection
558 of existing schemes that provide no confidentiality on their own, or
559 that do not sufficiently protect against replay attacks.
560 Furthermore, if the server expects credentials that are specific to
561 each individual user, the exchange of those credentials will have the
562 effect of identifying that user even if the content within
563 credentials remains confidential.
565 HTTP depends on the security properties of the underlying transport-
566 or session-level connection to provide confidential transmission of
567 header fields. In other words, if a server limits access to
568 authenticated users using this framework, the server needs to ensure
569 that the connection is properly secured in accordance with the nature
570 of the authentication scheme used. For example, services that depend
571 on individual user authentication often require a connection to be
572 secured with TLS ("Transport Layer Security", [RFC5246]) prior to
573 exchanging any credentials.
575 6.2. Authentication Credentials and Idle Clients
577 Existing HTTP clients and user agents typically retain authentication
578 information indefinitely. HTTP does not provide a mechanism for the
579 origin server to direct clients to discard these cached credentials,
580 since the protocol has no awareness of how credentials are obtained
581 or managed by the user agent. The mechanisms for expiring or
582 revoking credentials can be specified as part of an authentication
583 scheme definition.
585 Circumstances under which credential caching can interfere with the
586 application's security model include but are not limited to:
588 o Clients that have been idle for an extended period, following
589 which the server might wish to cause the client to re-prompt the
590 user for credentials.
592 o Applications that include a session termination indication (such
593 as a "logout" or "commit" button on a page) after which the server
594 side of the application "knows" that there is no further reason
595 for the client to retain the credentials.
597 User agents that cache credentials are encouraged to provide a
598 readily accessible mechanism for discarding cached credentials under
599 user control.
601 6.3. Protection Spaces
603 Authentication schemes that solely rely on the "realm" mechanism for
604 establishing a protection space will expose credentials to all
605 resources on an origin server. Clients that have successfully made
606 authenticated requests with a resource can use the same
607 authentication credentials for other resources on the same origin
608 server. This makes it possible for a different resource to harvest
609 authentication credentials for other resources.
611 This is of particular concern when an origin server hosts resources
612 for multiple parties under the same canonical root URI (Section 2.2).
613 Possible mitigation strategies include restricting direct access to
614 authentication credentials (i.e., not making the content of the
615 Authorization request header field available), and separating
616 protection spaces by using a different host name (or port number) for
617 each party.
619 7. References
621 7.1. Normative References
623 [CACHING] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
624 Ed., "Hypertext Transfer Protocol (HTTP): Caching", draft-
625 ietf-httpbis-cache-00 (work in progress), April 2018.
627 [MESSGNG] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
628 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message
629 Syntax and Routing", draft-ietf-httpbis-messaging-00 (work
630 in progress), April 2018.
632 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
633 Requirement Levels", BCP 14, RFC 2119,
634 DOI 10.17487/RFC2119, March 1997,
635 .
637 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
638 Specifications: ABNF", STD 68, RFC 5234,
639 DOI 10.17487/RFC5234, January 2008,
640 .
642 [SEMNTCS] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
643 Ed., "Hypertext Transfer Protocol (HTTP): Semantics and
644 Content", draft-ietf-httpbis-semantics-00 (work in
645 progress), April 2018.
647 7.2. Informative References
649 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration
650 Procedures for Message Header Fields", BCP 90, RFC 3864,
651 September 2004, .
653 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web
654 Applications and Web Services", The Open Web Application
655 Security Project (OWASP) 2.0.1, July 2005,
656 .
658 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
659 Leach, P., Luotonen, A., and L. Stewart, "HTTP
660 Authentication: Basic and Digest Access Authentication",
661 RFC 2617, DOI 10.17487/RFC2617, June 1999,
662 .
664 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
665 Resource Identifier (URI): Generic Syntax", STD 66,
666 RFC 3986, DOI 10.17487/RFC3986, January 2005,
667 .
669 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
670 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
671 .
673 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
674 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
675 DOI 10.17487/RFC5226, May 2008,
676 .
678 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
679 (TLS) Protocol Version 1.2", RFC 5246,
680 DOI 10.17487/RFC5246, August 2008,
681 .
683 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
684 Protocol (HTTP/1.1): Authentication", RFC 7235,
685 DOI 10.17487/RFC7235, June 2014,
686 .
688 Appendix A. Changes from RFC 7235
690 None yet.
692 Appendix B. Imported ABNF
694 The following core rules are included by reference, as defined in
695 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return),
696 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double
697 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any
698 8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII
699 character).
701 The rules below are defined in [MESSGNG]:
703 BWS =
704 OWS =
705 quoted-string =
706 token =
708 Appendix C. Collected ABNF
710 In the collected ABNF below, list rules are expanded as per
711 Section 1.2 of [MESSGNG].
713 Authorization = credentials
715 BWS =
717 OWS =
719 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS
720 challenge ] )
721 Proxy-Authorization = credentials
723 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
724 ] )
726 auth-param = token BWS "=" BWS ( token / quoted-string )
727 auth-scheme = token
729 challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *(
730 OWS "," [ OWS auth-param ] ) ] ) ]
731 credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
732 *( OWS "," [ OWS auth-param ] ) ] ) ]
734 quoted-string =
736 token =
737 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" )
738 *"="
740 Appendix D. Change Log
742 This section is to be removed before publishing as an RFC.
744 D.1. Since RFC 7235
746 The changes in this draft are purely editorial:
748 o Change boilerplate and abstract to indicate the "draft" status,
749 and update references to ancestor specifications.
751 o Remove version "1.1" from document title, indicating that this
752 specification applies to all HTTP versions.
754 o Adjust historical notes.
756 o Update links to sibling specifications.
758 o Replace sections listing changes from RFC 2617 by new empty
759 sections referring to RFC 723x.
761 o Remove acknowledgements specific to RFC 723x.
763 o Move "Acknowledgements" to the very end and make them unnumbered.
765 Index
767 4
768 401 Unauthorized (status code) 7
769 407 Proxy Authentication Required (status code) 7
771 A
772 Authorization header field 8
774 C
775 Canonical Root URI 6
777 G
778 Grammar
779 auth-param 4
780 auth-scheme 4
781 Authorization 8
782 challenge 5
783 credentials 5
784 Proxy-Authenticate 9
785 Proxy-Authorization 9
786 token68 4
787 WWW-Authenticate 7
789 P
790 Protection Space 6
791 Proxy-Authenticate header field 9
792 Proxy-Authorization header field 9
794 R
795 Realm 6
797 W
798 WWW-Authenticate header field 7
800 Acknowledgments
802 The previous specification took over the definition of the HTTP
803 Authentication Framework, previously defined in RFC 2617. We thank
804 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott
805 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart
806 for their work on that specification. See Section 6 of [RFC2617] for
807 further acknowledgements.
809 See Appendix "Acknowledgments" of [MESSGNG] for the Acknowledgments
810 related to this document revision.
812 Authors' Addresses
814 Roy T. Fielding (editor)
815 Adobe
816 345 Park Ave
817 San Jose, CA 95110
818 USA
820 EMail: fielding@gbiv.com
821 URI: http://roy.gbiv.com/
823 Mark Nottingham (editor)
824 Fastly
826 EMail: mnot@mnot.net
827 URI: https://www.mnot.net/
829 Julian F. Reschke (editor)
830 greenbytes GmbH
831 Hafenweg 16
832 Muenster, NW 48155
833 Germany
835 EMail: julian.reschke@greenbytes.de
836 URI: http://greenbytes.de/tech/webdav/