idnits 2.17.1 draft-ietf-httpbis-p7-auth-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC2617, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC2617, updated by this document, for RFC5378 checks: 1997-12-01) -- The document seems to contain a disclaimer for pre-RFC5378 work, and may have content which was first submitted before 10 November 2008. The disclaimer is necessary when there are original authors that you have been unable to contact, or if some do not wish to grant the BCP78 rights to the IETF Trust. If you are able to get all authors (current and original) to grant those rights, you can and should remove the disclaimer; otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 14, 2011) is 4791 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p1-messaging-13 == Outdated reference: A later version (-26) exists of draft-ietf-httpbis-p6-cache-13 -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPbis Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 2616 (if approved) J. Gettys 5 Updates: 2617 (if approved) Alcatel-Lucent 6 Intended status: Standards Track J. Mogul 7 Expires: September 15, 2011 HP 8 H. Frystyk 9 Microsoft 10 L. Masinter 11 Adobe 12 P. Leach 13 Microsoft 14 T. Berners-Lee 15 W3C/MIT 16 Y. Lafon, Ed. 17 W3C 18 J. Reschke, Ed. 19 greenbytes 20 March 14, 2011 22 HTTP/1.1, part 7: Authentication 23 draft-ietf-httpbis-p7-auth-13 25 Abstract 27 The Hypertext Transfer Protocol (HTTP) is an application-level 28 protocol for distributed, collaborative, hypermedia information 29 systems. HTTP has been in use by the World Wide Web global 30 information initiative since 1990. This document is Part 7 of the 31 seven-part specification that defines the protocol referred to as 32 "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines 33 HTTP Authentication. 35 Editorial Note (To be removed by RFC Editor) 37 Discussion of this draft should take place on the HTTPBIS working 38 group mailing list (ietf-http-wg@w3.org). The current issues list is 39 at and related 40 documents (including fancy diffs) can be found at 41 . 43 The changes in this draft are summarized in Appendix B.14. 45 Status of This Memo 47 This Internet-Draft is submitted in full conformance with the 48 provisions of BCP 78 and BCP 79. 50 Internet-Drafts are working documents of the Internet Engineering 51 Task Force (IETF). Note that other groups may also distribute 52 working documents as Internet-Drafts. The list of current Internet- 53 Drafts is at http://datatracker.ietf.org/drafts/current/. 55 Internet-Drafts are draft documents valid for a maximum of six months 56 and may be updated, replaced, or obsoleted by other documents at any 57 time. It is inappropriate to use Internet-Drafts as reference 58 material or to cite them other than as "work in progress." 60 This Internet-Draft will expire on September 15, 2011. 62 Copyright Notice 64 Copyright (c) 2011 IETF Trust and the persons identified as the 65 document authors. All rights reserved. 67 This document is subject to BCP 78 and the IETF Trust's Legal 68 Provisions Relating to IETF Documents 69 (http://trustee.ietf.org/license-info) in effect on the date of 70 publication of this document. Please review these documents 71 carefully, as they describe your rights and restrictions with respect 72 to this document. Code Components extracted from this document must 73 include Simplified BSD License text as described in Section 4.e of 74 the Trust Legal Provisions and are provided without warranty as 75 described in the Simplified BSD License. 77 This document may contain material from IETF Documents or IETF 78 Contributions published or made publicly available before November 79 10, 2008. The person(s) controlling the copyright in some of this 80 material may not have granted the IETF Trust the right to allow 81 modifications of such material outside the IETF Standards Process. 82 Without obtaining an adequate license from the person(s) controlling 83 the copyright in such materials, this document may not be modified 84 outside the IETF Standards Process, and derivative works of it may 85 not be created outside the IETF Standards Process, except to format 86 it for publication as an RFC or to translate it into languages other 87 than English. 89 Table of Contents 91 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 92 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 93 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4 94 1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 4 95 2. Access Authentication Framework . . . . . . . . . . . . . . . 5 96 2.1. Authentication Scheme Registry . . . . . . . . . . . . . . 7 97 3. Status Code Definitions . . . . . . . . . . . . . . . . . . . 7 98 3.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 7 99 3.2. 407 Proxy Authentication Required . . . . . . . . . . . . 7 100 4. Header Field Definitions . . . . . . . . . . . . . . . . . . . 8 101 4.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 8 102 4.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 9 103 4.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 9 104 4.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 9 105 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 106 5.1. Authenticaton Scheme Registry . . . . . . . . . . . . . . 10 107 5.2. Status Code Registration . . . . . . . . . . . . . . . . . 10 108 5.3. Header Field Registration . . . . . . . . . . . . . . . . 10 109 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 110 6.1. Authentication Credentials and Idle Clients . . . . . . . 11 111 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 112 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 113 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 114 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 115 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 13 116 Appendix B. Change Log (to be removed by RFC Editor before 117 publication) . . . . . . . . . . . . . . . . . . . . 13 118 B.1. Since RFC 2616 . . . . . . . . . . . . . . . . . . . . . . 13 119 B.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 14 120 B.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 14 121 B.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 14 122 B.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 14 123 B.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 14 124 B.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 14 125 B.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 15 126 B.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 15 127 B.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 15 128 B.11. Since draft-ietf-httpbis-p7-auth-09 . . . . . . . . . . . 15 129 B.12. Since draft-ietf-httpbis-p7-auth-10 . . . . . . . . . . . 15 130 B.13. Since draft-ietf-httpbis-p7-auth-11 . . . . . . . . . . . 15 131 B.14. Since draft-ietf-httpbis-p7-auth-12 . . . . . . . . . . . 16 132 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 134 1. Introduction 136 This document defines HTTP/1.1 access control and authentication. It 137 includes the relevant parts of RFC 2616 with only minor changes, plus 138 the general framework for HTTP authentication, as previously defined 139 in "HTTP Authentication: Basic and Digest Access Authentication" 140 ([RFC2617]). 142 HTTP provides several OPTIONAL challenge-response authentication 143 mechanisms which can be used by a server to challenge a client 144 request and by a client to provide authentication information. The 145 "basic" and "digest" authentication schemes continue to be specified 146 in RFC 2617. 148 1.1. Requirements 150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 152 document are to be interpreted as described in [RFC2119]. 154 An implementation is not compliant if it fails to satisfy one or more 155 of the "MUST" or "REQUIRED" level requirements for the protocols it 156 implements. An implementation that satisfies all the "MUST" or 157 "REQUIRED" level and all the "SHOULD" level requirements for its 158 protocols is said to be "unconditionally compliant"; one that 159 satisfies all the "MUST" level requirements but not all the "SHOULD" 160 level requirements for its protocols is said to be "conditionally 161 compliant". 163 1.2. Syntax Notation 165 This specification uses the ABNF syntax defined in Section 1.2 of 166 [Part1] (which extends the syntax defined in [RFC5234] with a list 167 rule). Appendix A shows the collected ABNF, with the list rule 168 expanded. 170 The following core rules are included by reference, as defined in 171 [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF 172 (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote), 173 HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit 174 sequence of data), SP (space), VCHAR (any visible USASCII character), 175 and WSP (whitespace). 177 1.2.1. Core Rules 179 The core rules below are defined in Section 1.2.2 of [Part1]: 181 quoted-string = 182 token = 183 OWS = 185 2. Access Authentication Framework 187 HTTP provides a simple challenge-response authentication mechanism 188 that can be used by a server to challenge a client request and by a 189 client to provide authentication information. It uses an extensible, 190 case-insensitive token to identify the authentication scheme, 191 followed by a comma-separated list of attribute-value pairs which 192 carry the parameters necessary for achieving authentication via that 193 scheme. 195 auth-scheme = token 196 auth-param = token "=" ( token / quoted-string ) 198 The 401 (Unauthorized) response message is used by an origin server 199 to challenge the authorization of a user agent. This response MUST 200 include a WWW-Authenticate header field containing at least one 201 challenge applicable to the requested resource. The 407 (Proxy 202 Authentication Required) response message is used by a proxy to 203 challenge the authorization of a client and MUST include a Proxy- 204 Authenticate header field containing at least one challenge 205 applicable to the proxy for the requested resource. 207 challenge = auth-scheme 1*SP 1#auth-param 209 Note: User agents will need to take special care in parsing the 210 WWW-Authenticate or Proxy-Authenticate header field value if it 211 contains more than one challenge, or if more than one WWW- 212 Authenticate header field is provided, since the contents of a 213 challenge can itself contain a comma-separated list of 214 authentication parameters. 216 Note: Many browsers fail to parse challenges containing unknown 217 schemes. A workaround for this problem is to list well-supported 218 schemes (such as "basic") first. 220 The authentication parameter realm is defined for all authentication 221 schemes: 223 realm = "realm" "=" realm-value 224 realm-value = quoted-string 226 The realm directive (case-insensitive) is required for all 227 authentication schemes that issue a challenge. The realm value 228 (case-sensitive), in combination with the canonical root URI (the 229 scheme and authority components of the effective request URI; see 230 Section 4.3 of [Part1]) of the server being accessed, defines the 231 protection space. These realms allow the protected resources on a 232 server to be partitioned into a set of protection spaces, each with 233 its own authentication scheme and/or authorization database. The 234 realm value is a string, generally assigned by the origin server, 235 which can have additional semantics specific to the authentication 236 scheme. Note that there can be multiple challenges with the same 237 auth-scheme but different realms. 239 A user agent that wishes to authenticate itself with an origin server 240 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 241 -- MAY do so by including an Authorization header field with the 242 request. A client that wishes to authenticate itself with a proxy -- 243 usually, but not necessarily, after receiving a 407 (Proxy 244 Authentication Required) -- MAY do so by including a Proxy- 245 Authorization header field with the request. Both the Authorization 246 field value and the Proxy-Authorization field value consist of 247 credentials containing the authentication information of the client 248 for the realm of the resource being requested. The user agent MUST 249 choose to use one of the challenges with the strongest auth-scheme it 250 understands and request credentials from the user based upon that 251 challenge. 253 credentials = auth-scheme ( token 254 / quoted-string 255 / #auth-param ) 257 The protection space determines the domain over which credentials can 258 be automatically applied. If a prior request has been authorized, 259 the same credentials MAY be reused for all other requests within that 260 protection space for a period of time determined by the 261 authentication scheme, parameters, and/or user preference. Unless 262 otherwise defined by the authentication scheme, a single protection 263 space cannot extend outside the scope of its server. 265 If the origin server does not wish to accept the credentials sent 266 with a request, it SHOULD return a 401 (Unauthorized) response. The 267 response MUST include a WWW-Authenticate header field containing at 268 least one (possibly new) challenge applicable to the requested 269 resource. If a proxy does not accept the credentials sent with a 270 request, it SHOULD return a 407 (Proxy Authentication Required). The 271 response MUST include a Proxy-Authenticate header field containing a 272 (possibly new) challenge applicable to the proxy for the requested 273 resource. 275 The HTTP protocol does not restrict applications to this simple 276 challenge-response mechanism for access authentication. Additional 277 mechanisms MAY be used, such as encryption at the transport level or 278 via message encapsulation, and with additional header fields 279 specifying authentication information. However, such additional 280 mechanisms are not defined by this specification. 282 Proxies MUST forward the WWW-Authenticate and Authorization headers 283 unmodified and follow the rules found in Section 4.1. 285 2.1. Authentication Scheme Registry 287 The HTTP Authentication Scheme Registry defines the name space for 288 the authentication schemes in challenges and credentials. 290 Registrations MUST include the following fields: 292 o Authentication Scheme Name 294 o Pointer to specification text 296 Values to be added to this name space are subject to IETF review 297 ([RFC5226], Section 4.1). 299 The registry itself is maintained at 300 . 302 3. Status Code Definitions 304 3.1. 401 Unauthorized 306 The request requires user authentication. The response MUST include 307 a WWW-Authenticate header field (Section 4.4) containing a challenge 308 applicable to the target resource. The client MAY repeat the request 309 with a suitable Authorization header field (Section 4.1). If the 310 request already included Authorization credentials, then the 401 311 response indicates that authorization has been refused for those 312 credentials. If the 401 response contains the same challenge as the 313 prior response, and the user agent has already attempted 314 authentication at least once, then the user SHOULD be presented the 315 representation that was given in the response, since that 316 representation might include relevant diagnostic information. 318 3.2. 407 Proxy Authentication Required 320 This code is similar to 401 (Unauthorized), but indicates that the 321 client ought to first authenticate itself with the proxy. The proxy 322 MUST return a Proxy-Authenticate header field (Section 4.2) 323 containing a challenge applicable to the proxy for the target 324 resource. The client MAY repeat the request with a suitable Proxy- 325 Authorization header field (Section 4.3). 327 4. Header Field Definitions 329 This section defines the syntax and semantics of HTTP/1.1 header 330 fields related to authentication. 332 4.1. Authorization 334 The "Authorization" header field allows a user agent to authenticate 335 itself with a server -- usually, but not necessarily, after receiving 336 a 401 (Unauthorized) response. Its value consists of credentials 337 containing information of the user agent for the realm of the 338 resource being requested. 340 Authorization = "Authorization" ":" OWS Authorization-v 341 Authorization-v = credentials 343 If a request is authenticated and a realm specified, the same 344 credentials SHOULD be valid for all other requests within this realm 345 (assuming that the authentication scheme itself does not require 346 otherwise, such as credentials that vary according to a challenge 347 value or using synchronized clocks). 349 When a shared cache (see Section 1.2 of [Part6]) receives a request 350 containing an Authorization field, it MUST NOT return the 351 corresponding response as a reply to any other request, unless one of 352 the following specific exceptions holds: 354 1. If the response includes the "s-maxage" cache-control directive, 355 the cache MAY use that response in replying to a subsequent 356 request. But (if the specified maximum age has passed) a proxy 357 cache MUST first revalidate it with the origin server, using the 358 header fields from the new request to allow the origin server to 359 authenticate the new request. (This is the defined behavior for 360 s-maxage.) If the response includes "s-maxage=0", the proxy MUST 361 always revalidate it before re-using it. 363 2. If the response includes the "must-revalidate" cache-control 364 directive, the cache MAY use that response in replying to a 365 subsequent request. But if the response is stale, all caches 366 MUST first revalidate it with the origin server, using the header 367 fields from the new request to allow the origin server to 368 authenticate the new request. 370 3. If the response includes the "public" cache-control directive, it 371 MAY be returned in reply to any subsequent request. 373 4.2. Proxy-Authenticate 375 The "Proxy-Authenticate" header field consists of a challenge that 376 indicates the authentication scheme and parameters applicable to the 377 proxy for this effective request URI (Section 4.3 of [Part1]). It 378 MUST be included as part of a 407 (Proxy Authentication Required) 379 response. 381 Proxy-Authenticate = "Proxy-Authenticate" ":" OWS 382 Proxy-Authenticate-v 383 Proxy-Authenticate-v = 1#challenge 385 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 386 only to the current connection and SHOULD NOT be passed on to 387 downstream clients. However, an intermediate proxy might need to 388 obtain its own credentials by requesting them from the downstream 389 client, which in some circumstances will appear as if the proxy is 390 forwarding the Proxy-Authenticate header field. 392 4.3. Proxy-Authorization 394 The "Proxy-Authorization" header field allows the client to identify 395 itself (or its user) to a proxy which requires authentication. Its 396 value consists of credentials containing the authentication 397 information of the user agent for the proxy and/or realm of the 398 resource being requested. 400 Proxy-Authorization = "Proxy-Authorization" ":" OWS 401 Proxy-Authorization-v 402 Proxy-Authorization-v = credentials 404 Unlike Authorization, the Proxy-Authorization header field applies 405 only to the next outbound proxy that demanded authentication using 406 the Proxy-Authenticate field. When multiple proxies are used in a 407 chain, the Proxy-Authorization header field is consumed by the first 408 outbound proxy that was expecting to receive credentials. A proxy 409 MAY relay the credentials from the client request to the next proxy 410 if that is the mechanism by which the proxies cooperatively 411 authenticate a given request. 413 4.4. WWW-Authenticate 415 The "WWW-Authenticate" header field consists of at least one 416 challenge that indicates the authentication scheme(s) and parameters 417 applicable to the effective request URI (Section 4.3 of [Part1]). It 418 MUST be included in 401 (Unauthorized) response messages. 420 WWW-Authenticate = "WWW-Authenticate" ":" OWS WWW-Authenticate-v 421 WWW-Authenticate-v = 1#challenge 423 User agents are advised to take special care in parsing the WWW- 424 Authenticate field value as it might contain more than one challenge, 425 or if more than one WWW-Authenticate header field is provided, the 426 contents of a challenge itself can contain a comma-separated list of 427 authentication parameters. 429 5. IANA Considerations 431 5.1. Authenticaton Scheme Registry 433 The registration procedure for HTTP Authentication Schemes is defined 434 by Section 2.1 of this document. 436 The HTTP Method Authentication Scheme shall be created at 437 . 439 5.2. Status Code Registration 441 The HTTP Status Code Registry located at 442 shall be updated 443 with the registrations below: 445 +-------+-------------------------------+-------------+ 446 | Value | Description | Reference | 447 +-------+-------------------------------+-------------+ 448 | 401 | Unauthorized | Section 3.1 | 449 | 407 | Proxy Authentication Required | Section 3.2 | 450 +-------+-------------------------------+-------------+ 452 5.3. Header Field Registration 454 The Message Header Field Registry located at shall be 456 updated with the permanent registrations below (see [RFC3864]): 458 +---------------------+----------+----------+-------------+ 459 | Header Field Name | Protocol | Status | Reference | 460 +---------------------+----------+----------+-------------+ 461 | Authorization | http | standard | Section 4.1 | 462 | Proxy-Authenticate | http | standard | Section 4.2 | 463 | Proxy-Authorization | http | standard | Section 4.3 | 464 | WWW-Authenticate | http | standard | Section 4.4 | 465 +---------------------+----------+----------+-------------+ 467 The change controller is: "IETF (iesg@ietf.org) - Internet 468 Engineering Task Force". 470 6. Security Considerations 472 This section is meant to inform application developers, information 473 providers, and users of the security limitations in HTTP/1.1 as 474 described by this document. The discussion does not include 475 definitive solutions to the problems revealed, though it does make 476 some suggestions for reducing security risks. 478 6.1. Authentication Credentials and Idle Clients 480 Existing HTTP clients and user agents typically retain authentication 481 information indefinitely. HTTP/1.1 does not provide a method for a 482 server to direct clients to discard these cached credentials. This 483 is a significant defect that requires further extensions to HTTP. 484 Circumstances under which credential caching can interfere with the 485 application's security model include but are not limited to: 487 o Clients which have been idle for an extended period following 488 which the server might wish to cause the client to reprompt the 489 user for credentials. 491 o Applications which include a session termination indication (such 492 as a "logout" or "commit" button on a page) after which the server 493 side of the application "knows" that there is no further reason 494 for the client to retain the credentials. 496 This is currently under separate study. There are a number of work- 497 arounds to parts of this problem, and we encourage the use of 498 password protection in screen savers, idle time-outs, and other 499 methods which mitigate the security problems inherent in this 500 problem. In particular, user agents which cache credentials are 501 encouraged to provide a readily accessible mechanism for discarding 502 cached credentials under user control. 504 7. Acknowledgments 506 This specification takes over the definition of the HTTP 507 Authentication Framework, previously defined in RFC 2617. We thank 508 to John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 509 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for 510 their work on that specification. 512 [[acks: HTTPbis acknowledgements.]] 514 8. References 515 8.1. Normative References 517 [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 518 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 519 and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, 520 and Message Parsing", draft-ietf-httpbis-p1-messaging-13 521 (work in progress), March 2011. 523 [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., 524 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., 525 Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part 526 6: Caching", draft-ietf-httpbis-p6-cache-13 (work in 527 progress), March 2011. 529 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 530 Requirement Levels", BCP 14, RFC 2119, March 1997. 532 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 533 Specifications: ABNF", STD 68, RFC 5234, January 2008. 535 8.2. Informative References 537 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 538 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 539 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. 541 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 542 Leach, P., Luotonen, A., and L. Stewart, "HTTP 543 Authentication: Basic and Digest Access Authentication", 544 RFC 2617, June 1999. 546 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration 547 Procedures for Message Header Fields", BCP 90, RFC 3864, 548 September 2004. 550 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 551 IANA Considerations Section in RFCs", BCP 26, RFC 5226, 552 May 2008. 554 Appendix A. Collected ABNF 556 Authorization = "Authorization:" OWS Authorization-v 557 Authorization-v = credentials 559 OWS = 561 Proxy-Authenticate = "Proxy-Authenticate:" OWS Proxy-Authenticate-v 562 Proxy-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS 563 challenge ] ) 564 Proxy-Authorization = "Proxy-Authorization:" OWS 565 Proxy-Authorization-v 566 Proxy-Authorization-v = credentials 568 WWW-Authenticate = "WWW-Authenticate:" OWS WWW-Authenticate-v 569 WWW-Authenticate-v = *( "," OWS ) challenge *( OWS "," [ OWS 570 challenge ] ) 572 auth-param = token "=" ( token / quoted-string ) 573 auth-scheme = token 575 challenge = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS 576 auth-param ] ) 577 credentials = auth-scheme ( token / quoted-string / [ ( "," / 578 auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 580 quoted-string = 582 realm = "realm=" realm-value 583 realm-value = quoted-string 585 token = 587 ABNF diagnostics: 589 ; Authorization defined but not used 590 ; Proxy-Authenticate defined but not used 591 ; Proxy-Authorization defined but not used 592 ; WWW-Authenticate defined but not used 593 ; realm defined but not used 595 Appendix B. Change Log (to be removed by RFC Editor before publication) 597 B.1. Since RFC 2616 599 Extracted relevant partitions from [RFC2616]. 601 B.2. Since draft-ietf-httpbis-p7-auth-00 603 Closed issues: 605 o : "Normative and 606 Informative references" 608 B.3. Since draft-ietf-httpbis-p7-auth-01 610 Ongoing work on ABNF conversion 611 (): 613 o Explicitly import BNF rules for "challenge" and "credentials" from 614 RFC2617. 616 o Add explicit references to BNF syntax and rules imported from 617 other parts of the specification. 619 B.4. Since draft-ietf-httpbis-p7-auth-02 621 Ongoing work on IANA Message Header Field Registration 622 (): 624 o Reference RFC 3984, and update header field registrations for 625 header fields defined in this document. 627 B.5. Since draft-ietf-httpbis-p7-auth-03 629 B.6. Since draft-ietf-httpbis-p7-auth-04 631 Ongoing work on ABNF conversion 632 (): 634 o Use "/" instead of "|" for alternatives. 636 o Introduce new ABNF rules for "bad" whitespace ("BWS"), optional 637 whitespace ("OWS") and required whitespace ("RWS"). 639 o Rewrite ABNFs to spell out whitespace rules, factor out header 640 field value format definitions. 642 B.7. Since draft-ietf-httpbis-p7-auth-05 644 Final work on ABNF conversion 645 (): 647 o Add appendix containing collected and expanded ABNF, reorganize 648 ABNF introduction. 650 B.8. Since draft-ietf-httpbis-p7-auth-06 652 None. 654 B.9. Since draft-ietf-httpbis-p7-auth-07 656 Closed issues: 658 o : "move IANA 659 registrations for optional status codes" 661 B.10. Since draft-ietf-httpbis-p7-auth-08 663 No significant changes. 665 B.11. Since draft-ietf-httpbis-p7-auth-09 667 Partly resolved issues: 669 o : "Term for the 670 requested resource's URI" 672 B.12. Since draft-ietf-httpbis-p7-auth-10 674 None yet. 676 B.13. Since draft-ietf-httpbis-p7-auth-11 678 Closed issues: 680 o : "introduction 681 to part 7 is work-in-progress" 683 o : "auth-param 684 syntax" 686 o : "Header 687 Classification" 689 o : "absorbing the 690 auth framework from 2617" 692 Partly resolved issues: 694 o : "should we 695 have an auth scheme registry" 697 B.14. Since draft-ietf-httpbis-p7-auth-12 699 None. 701 Index 703 4 704 401 Unauthorized (status code) 7 705 407 Proxy Authentication Required (status code) 7 707 A 708 auth-param 5 709 auth-scheme 5 710 Authorization header field 8 712 C 713 challenge 5 714 credentials 6 716 G 717 Grammar 718 Authorization 8 719 Authorization-v 8 720 Proxy-Authenticate 9 721 Proxy-Authenticate-v 9 722 Proxy-Authorization 9 723 Proxy-Authorization-v 9 724 WWW-Authenticate 9 725 WWW-Authenticate-v 9 727 H 728 Header Fields 729 Authorization 8 730 Proxy-Authenticate 9 731 Proxy-Authorization 9 732 WWW-Authenticate 9 734 P 735 Proxy-Authenticate header field 9 736 Proxy-Authorization header field 9 738 R 739 realm 5 740 realm-value 5 742 S 743 Status Codes 744 401 Unauthorized 7 745 407 Proxy Authentication Required 7 747 W 748 WWW-Authenticate header field 9 750 Authors' Addresses 752 Roy T. Fielding (editor) 753 Adobe Systems Incorporated 754 345 Park Ave 755 San Jose, CA 95110 756 USA 758 EMail: fielding@gbiv.com 759 URI: http://roy.gbiv.com/ 761 Jim Gettys 762 Alcatel-Lucent Bell Labs 763 21 Oak Knoll Road 764 Carlisle, MA 01741 765 USA 767 EMail: jg@freedesktop.org 768 URI: http://gettys.wordpress.com/ 770 Jeffrey C. Mogul 771 Hewlett-Packard Company 772 HP Labs, Large Scale Systems Group 773 1501 Page Mill Road, MS 1177 774 Palo Alto, CA 94304 775 USA 777 EMail: JeffMogul@acm.org 779 Henrik Frystyk Nielsen 780 Microsoft Corporation 781 1 Microsoft Way 782 Redmond, WA 98052 783 USA 785 EMail: henrikn@microsoft.com 786 Larry Masinter 787 Adobe Systems Incorporated 788 345 Park Ave 789 San Jose, CA 95110 790 USA 792 EMail: LMM@acm.org 793 URI: http://larry.masinter.net/ 795 Paul J. Leach 796 Microsoft Corporation 797 1 Microsoft Way 798 Redmond, WA 98052 800 EMail: paulle@microsoft.com 802 Tim Berners-Lee 803 World Wide Web Consortium 804 MIT Computer Science and Artificial Intelligence Laboratory 805 The Stata Center, Building 32 806 32 Vassar Street 807 Cambridge, MA 02139 808 USA 810 EMail: timbl@w3.org 811 URI: http://www.w3.org/People/Berners-Lee/ 813 Yves Lafon (editor) 814 World Wide Web Consortium 815 W3C / ERCIM 816 2004, rte des Lucioles 817 Sophia-Antipolis, AM 06902 818 France 820 EMail: ylafon@w3.org 821 URI: http://www.raubacapeu.net/people/yves/ 822 Julian F. Reschke (editor) 823 greenbytes GmbH 824 Hafenweg 16 825 Muenster, NW 48155 826 Germany 828 Phone: +49 251 2807760 829 Fax: +49 251 2807761 830 EMail: julian.reschke@greenbytes.de 831 URI: http://greenbytes.de/tech/webdav/