idnits 2.17.1
draft-ietf-httpbis-p7-auth-15.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document updates RFC2617, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC2617, updated by this document, for
RFC5378 checks: 1997-12-01)
-- The document seems to contain a disclaimer for pre-RFC5378 work, and may
have content which was first submitted before 10 November 2008. The
disclaimer is necessary when there are original authors that you have
been unable to contact, or if some do not wish to grant the BCP78 rights
to the IETF Trust. If you are able to get all authors (current and
original) to grant those rights, you can and should remove the
disclaimer; otherwise, the disclaimer is needed and you can ignore this
comment. (See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (July 11, 2011) is 4674 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-26) exists of
draft-ietf-httpbis-p1-messaging-15
== Outdated reference: A later version (-26) exists of
draft-ietf-httpbis-p6-cache-15
-- Obsolete informational reference (is this intentional?): RFC 2616
(Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235)
-- Obsolete informational reference (is this intentional?): RFC 2617
(Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617)
-- Obsolete informational reference (is this intentional?): RFC 5226
(Obsoleted by RFC 8126)
Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 6 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 HTTPbis Working Group R. Fielding, Ed.
3 Internet-Draft Adobe
4 Obsoletes: 2616 (if approved) J. Gettys
5 Updates: 2617 (if approved) Alcatel-Lucent
6 Intended status: Standards Track J. Mogul
7 Expires: January 12, 2012 HP
8 H. Frystyk
9 Microsoft
10 L. Masinter
11 Adobe
12 P. Leach
13 Microsoft
14 T. Berners-Lee
15 W3C/MIT
16 Y. Lafon, Ed.
17 W3C
18 J. Reschke, Ed.
19 greenbytes
20 July 11, 2011
22 HTTP/1.1, part 7: Authentication
23 draft-ietf-httpbis-p7-auth-15
25 Abstract
27 The Hypertext Transfer Protocol (HTTP) is an application-level
28 protocol for distributed, collaborative, hypermedia information
29 systems. HTTP has been in use by the World Wide Web global
30 information initiative since 1990. This document is Part 7 of the
31 seven-part specification that defines the protocol referred to as
32 "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines
33 HTTP Authentication.
35 Editorial Note (To be removed by RFC Editor)
37 Discussion of this draft should take place on the HTTPBIS working
38 group mailing list (ietf-http-wg@w3.org), which is archived at
39 .
41 The current issues list is at
42 and related
43 documents (including fancy diffs) can be found at
44 .
46 The changes in this draft are summarized in Appendix C.16.
48 Status of This Memo
49 This Internet-Draft is submitted in full conformance with the
50 provisions of BCP 78 and BCP 79.
52 Internet-Drafts are working documents of the Internet Engineering
53 Task Force (IETF). Note that other groups may also distribute
54 working documents as Internet-Drafts. The list of current Internet-
55 Drafts is at http://datatracker.ietf.org/drafts/current/.
57 Internet-Drafts are draft documents valid for a maximum of six months
58 and may be updated, replaced, or obsoleted by other documents at any
59 time. It is inappropriate to use Internet-Drafts as reference
60 material or to cite them other than as "work in progress."
62 This Internet-Draft will expire on January 12, 2012.
64 Copyright Notice
66 Copyright (c) 2011 IETF Trust and the persons identified as the
67 document authors. All rights reserved.
69 This document is subject to BCP 78 and the IETF Trust's Legal
70 Provisions Relating to IETF Documents
71 (http://trustee.ietf.org/license-info) in effect on the date of
72 publication of this document. Please review these documents
73 carefully, as they describe your rights and restrictions with respect
74 to this document. Code Components extracted from this document must
75 include Simplified BSD License text as described in Section 4.e of
76 the Trust Legal Provisions and are provided without warranty as
77 described in the Simplified BSD License.
79 This document may contain material from IETF Documents or IETF
80 Contributions published or made publicly available before November
81 10, 2008. The person(s) controlling the copyright in some of this
82 material may not have granted the IETF Trust the right to allow
83 modifications of such material outside the IETF Standards Process.
84 Without obtaining an adequate license from the person(s) controlling
85 the copyright in such materials, this document may not be modified
86 outside the IETF Standards Process, and derivative works of it may
87 not be created outside the IETF Standards Process, except to format
88 it for publication as an RFC or to translate it into languages other
89 than English.
91 Table of Contents
93 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
94 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4
95 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4
96 1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 4
97 2. Access Authentication Framework . . . . . . . . . . . . . . . 5
98 2.1. Authentication Scheme Registry . . . . . . . . . . . . . . 7
99 3. Status Code Definitions . . . . . . . . . . . . . . . . . . . 7
100 3.1. 401 Unauthorized . . . . . . . . . . . . . . . . . . . . . 7
101 3.2. 407 Proxy Authentication Required . . . . . . . . . . . . 7
102 4. Header Field Definitions . . . . . . . . . . . . . . . . . . . 8
103 4.1. Authorization . . . . . . . . . . . . . . . . . . . . . . 8
104 4.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . . . . 9
105 4.3. Proxy-Authorization . . . . . . . . . . . . . . . . . . . 9
106 4.4. WWW-Authenticate . . . . . . . . . . . . . . . . . . . . . 9
107 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
108 5.1. Authenticaton Scheme Registry . . . . . . . . . . . . . . 10
109 5.2. Status Code Registration . . . . . . . . . . . . . . . . . 10
110 5.3. Header Field Registration . . . . . . . . . . . . . . . . 10
111 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
112 6.1. Authentication Credentials and Idle Clients . . . . . . . 11
113 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
114 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
115 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
116 8.2. Informative References . . . . . . . . . . . . . . . . . . 12
117 Appendix A. Changes from RFC 2616 . . . . . . . . . . . . . . . . 12
118 Appendix B. Collected ABNF . . . . . . . . . . . . . . . . . . . 13
119 Appendix C. Change Log (to be removed by RFC Editor before
120 publication) . . . . . . . . . . . . . . . . . . . . 13
121 C.1. Since RFC 2616 . . . . . . . . . . . . . . . . . . . . . . 13
122 C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 13
123 C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 14
124 C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 14
125 C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 14
126 C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 14
127 C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 14
128 C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 14
129 C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 15
130 C.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 15
131 C.11. Since draft-ietf-httpbis-p7-auth-09 . . . . . . . . . . . 15
132 C.12. Since draft-ietf-httpbis-p7-auth-10 . . . . . . . . . . . 15
133 C.13. Since draft-ietf-httpbis-p7-auth-11 . . . . . . . . . . . 15
134 C.14. Since draft-ietf-httpbis-p7-auth-12 . . . . . . . . . . . 15
135 C.15. Since draft-ietf-httpbis-p7-auth-13 . . . . . . . . . . . 16
136 C.16. Since draft-ietf-httpbis-p7-auth-14 . . . . . . . . . . . 16
137 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
139 1. Introduction
141 This document defines HTTP/1.1 access control and authentication. It
142 includes the relevant parts of RFC 2616 with only minor changes, plus
143 the general framework for HTTP authentication, as previously defined
144 in "HTTP Authentication: Basic and Digest Access Authentication"
145 ([RFC2617]).
147 HTTP provides several OPTIONAL challenge-response authentication
148 mechanisms which can be used by a server to challenge a client
149 request and by a client to provide authentication information. The
150 "basic" and "digest" authentication schemes continue to be specified
151 in RFC 2617.
153 1.1. Requirements
155 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
156 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
157 document are to be interpreted as described in [RFC2119].
159 An implementation is not compliant if it fails to satisfy one or more
160 of the "MUST" or "REQUIRED" level requirements for the protocols it
161 implements. An implementation that satisfies all the "MUST" or
162 "REQUIRED" level and all the "SHOULD" level requirements for its
163 protocols is said to be "unconditionally compliant"; one that
164 satisfies all the "MUST" level requirements but not all the "SHOULD"
165 level requirements for its protocols is said to be "conditionally
166 compliant".
168 1.2. Syntax Notation
170 This specification uses the ABNF syntax defined in Section 1.2 of
171 [Part1] (which extends the syntax defined in [RFC5234] with a list
172 rule). Appendix B shows the collected ABNF, with the list rule
173 expanded.
175 The following core rules are included by reference, as defined in
176 [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
177 (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
178 HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit
179 sequence of data), SP (space), VCHAR (any visible USASCII character),
180 and WSP (whitespace).
182 1.2.1. Core Rules
184 The core rules below are defined in Section 1.2.2 of [Part1]:
186 quoted-string =
187 token =
188 OWS =
190 2. Access Authentication Framework
192 HTTP provides a simple challenge-response authentication mechanism
193 that can be used by a server to challenge a client request and by a
194 client to provide authentication information. It uses an extensible,
195 case-insensitive token to identify the authentication scheme,
196 followed by a comma-separated list of attribute-value pairs which
197 carry the parameters necessary for achieving authentication via that
198 scheme.
200 auth-scheme = token
201 auth-param = token "=" ( token / quoted-string )
203 The 401 (Unauthorized) response message is used by an origin server
204 to challenge the authorization of a user agent. This response MUST
205 include a WWW-Authenticate header field containing at least one
206 challenge applicable to the requested resource. The 407 (Proxy
207 Authentication Required) response message is used by a proxy to
208 challenge the authorization of a client and MUST include a Proxy-
209 Authenticate header field containing at least one challenge
210 applicable to the proxy for the requested resource.
212 challenge = auth-scheme 1*SP 1#auth-param
214 Note: User agents will need to take special care in parsing the
215 WWW-Authenticate or Proxy-Authenticate header field value if it
216 contains more than one challenge, or if more than one WWW-
217 Authenticate header field is provided, since the contents of a
218 challenge can itself contain a comma-separated list of
219 authentication parameters.
221 Note: Many browsers fail to parse challenges containing unknown
222 schemes. A workaround for this problem is to list well-supported
223 schemes (such as "basic") first.
225 The authentication parameter realm is defined for all authentication
226 schemes:
228 realm = "realm" "=" realm-value
229 realm-value = quoted-string
231 The realm directive (case-insensitive) is required for all
232 authentication schemes that issue a challenge. The realm value
233 (case-sensitive), in combination with the canonical root URI (the
234 scheme and authority components of the effective request URI; see
235 Section 4.3 of [Part1]) of the server being accessed, defines the
236 protection space. These realms allow the protected resources on a
237 server to be partitioned into a set of protection spaces, each with
238 its own authentication scheme and/or authorization database. The
239 realm value is a string, generally assigned by the origin server,
240 which can have additional semantics specific to the authentication
241 scheme. Note that there can be multiple challenges with the same
242 auth-scheme but different realms.
244 A user agent that wishes to authenticate itself with an origin server
245 -- usually, but not necessarily, after receiving a 401 (Unauthorized)
246 -- MAY do so by including an Authorization header field with the
247 request. A client that wishes to authenticate itself with a proxy --
248 usually, but not necessarily, after receiving a 407 (Proxy
249 Authentication Required) -- MAY do so by including a Proxy-
250 Authorization header field with the request. Both the Authorization
251 field value and the Proxy-Authorization field value consist of
252 credentials containing the authentication information of the client
253 for the realm of the resource being requested. The user agent MUST
254 choose to use one of the challenges with the strongest auth-scheme it
255 understands and request credentials from the user based upon that
256 challenge.
258 credentials = auth-scheme ( token
259 / quoted-string
260 / #auth-param )
262 The protection space determines the domain over which credentials can
263 be automatically applied. If a prior request has been authorized,
264 the same credentials MAY be reused for all other requests within that
265 protection space for a period of time determined by the
266 authentication scheme, parameters, and/or user preference. Unless
267 otherwise defined by the authentication scheme, a single protection
268 space cannot extend outside the scope of its server.
270 If the origin server does not wish to accept the credentials sent
271 with a request, it SHOULD return a 401 (Unauthorized) response. The
272 response MUST include a WWW-Authenticate header field containing at
273 least one (possibly new) challenge applicable to the requested
274 resource. If a proxy does not accept the credentials sent with a
275 request, it SHOULD return a 407 (Proxy Authentication Required). The
276 response MUST include a Proxy-Authenticate header field containing a
277 (possibly new) challenge applicable to the proxy for the requested
278 resource.
280 The HTTP protocol does not restrict applications to this simple
281 challenge-response mechanism for access authentication. Additional
282 mechanisms MAY be used, such as encryption at the transport level or
283 via message encapsulation, and with additional header fields
284 specifying authentication information. However, such additional
285 mechanisms are not defined by this specification.
287 Proxies MUST forward the WWW-Authenticate and Authorization headers
288 unmodified and follow the rules found in Section 4.1.
290 2.1. Authentication Scheme Registry
292 The HTTP Authentication Scheme Registry defines the name space for
293 the authentication schemes in challenges and credentials.
295 Registrations MUST include the following fields:
297 o Authentication Scheme Name
299 o Pointer to specification text
301 Values to be added to this name space are subject to IETF review
302 ([RFC5226], Section 4.1).
304 The registry itself is maintained at
305 .
307 3. Status Code Definitions
309 3.1. 401 Unauthorized
311 The request requires user authentication. The response MUST include
312 a WWW-Authenticate header field (Section 4.4) containing a challenge
313 applicable to the target resource. The client MAY repeat the request
314 with a suitable Authorization header field (Section 4.1). If the
315 request already included Authorization credentials, then the 401
316 response indicates that authorization has been refused for those
317 credentials. If the 401 response contains the same challenge as the
318 prior response, and the user agent has already attempted
319 authentication at least once, then the user SHOULD be presented the
320 representation that was given in the response, since that
321 representation might include relevant diagnostic information.
323 3.2. 407 Proxy Authentication Required
325 This code is similar to 401 (Unauthorized), but indicates that the
326 client ought to first authenticate itself with the proxy. The proxy
327 MUST return a Proxy-Authenticate header field (Section 4.2)
328 containing a challenge applicable to the proxy for the target
329 resource. The client MAY repeat the request with a suitable Proxy-
330 Authorization header field (Section 4.3).
332 4. Header Field Definitions
334 This section defines the syntax and semantics of HTTP/1.1 header
335 fields related to authentication.
337 4.1. Authorization
339 The "Authorization" header field allows a user agent to authenticate
340 itself with a server -- usually, but not necessarily, after receiving
341 a 401 (Unauthorized) response. Its value consists of credentials
342 containing information of the user agent for the realm of the
343 resource being requested.
345 Authorization = credentials
347 If a request is authenticated and a realm specified, the same
348 credentials SHOULD be valid for all other requests within this realm
349 (assuming that the authentication scheme itself does not require
350 otherwise, such as credentials that vary according to a challenge
351 value or using synchronized clocks).
353 When a shared cache (see Section 1.2 of [Part6]) receives a request
354 containing an Authorization field, it MUST NOT return the
355 corresponding response as a reply to any other request, unless one of
356 the following specific exceptions holds:
358 1. If the response includes the "s-maxage" cache-control directive,
359 the cache MAY use that response in replying to a subsequent
360 request. But (if the specified maximum age has passed) a proxy
361 cache MUST first revalidate it with the origin server, using the
362 header fields from the new request to allow the origin server to
363 authenticate the new request. (This is the defined behavior for
364 s-maxage.) If the response includes "s-maxage=0", the proxy MUST
365 always revalidate it before re-using it.
367 2. If the response includes the "must-revalidate" cache-control
368 directive, the cache MAY use that response in replying to a
369 subsequent request. But if the response is stale, all caches
370 MUST first revalidate it with the origin server, using the header
371 fields from the new request to allow the origin server to
372 authenticate the new request.
374 3. If the response includes the "public" cache-control directive, it
375 MAY be returned in reply to any subsequent request.
377 4.2. Proxy-Authenticate
379 The "Proxy-Authenticate" header field consists of a challenge that
380 indicates the authentication scheme and parameters applicable to the
381 proxy for this effective request URI (Section 4.3 of [Part1]). It
382 MUST be included as part of a 407 (Proxy Authentication Required)
383 response.
385 Proxy-Authenticate = 1#challenge
387 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
388 only to the current connection and SHOULD NOT be passed on to
389 downstream clients. However, an intermediate proxy might need to
390 obtain its own credentials by requesting them from the downstream
391 client, which in some circumstances will appear as if the proxy is
392 forwarding the Proxy-Authenticate header field.
394 4.3. Proxy-Authorization
396 The "Proxy-Authorization" header field allows the client to identify
397 itself (or its user) to a proxy which requires authentication. Its
398 value consists of credentials containing the authentication
399 information of the user agent for the proxy and/or realm of the
400 resource being requested.
402 Proxy-Authorization = credentials
404 Unlike Authorization, the Proxy-Authorization header field applies
405 only to the next outbound proxy that demanded authentication using
406 the Proxy-Authenticate field. When multiple proxies are used in a
407 chain, the Proxy-Authorization header field is consumed by the first
408 outbound proxy that was expecting to receive credentials. A proxy
409 MAY relay the credentials from the client request to the next proxy
410 if that is the mechanism by which the proxies cooperatively
411 authenticate a given request.
413 4.4. WWW-Authenticate
415 The "WWW-Authenticate" header field consists of at least one
416 challenge that indicates the authentication scheme(s) and parameters
417 applicable to the effective request URI (Section 4.3 of [Part1]). It
418 MUST be included in 401 (Unauthorized) response messages.
420 WWW-Authenticate = 1#challenge
422 User agents are advised to take special care in parsing the WWW-
423 Authenticate field value as it might contain more than one challenge,
424 or if more than one WWW-Authenticate header field is provided, the
425 contents of a challenge itself can contain a comma-separated list of
426 authentication parameters.
428 5. IANA Considerations
430 5.1. Authenticaton Scheme Registry
432 The registration procedure for HTTP Authentication Schemes is defined
433 by Section 2.1 of this document.
435 The HTTP Method Authentication Scheme shall be created at
436 .
438 5.2. Status Code Registration
440 The HTTP Status Code Registry located at
441 shall be updated
442 with the registrations below:
444 +-------+-------------------------------+-------------+
445 | Value | Description | Reference |
446 +-------+-------------------------------+-------------+
447 | 401 | Unauthorized | Section 3.1 |
448 | 407 | Proxy Authentication Required | Section 3.2 |
449 +-------+-------------------------------+-------------+
451 5.3. Header Field Registration
453 The Message Header Field Registry located at shall be
455 updated with the permanent registrations below (see [RFC3864]):
457 +---------------------+----------+----------+-------------+
458 | Header Field Name | Protocol | Status | Reference |
459 +---------------------+----------+----------+-------------+
460 | Authorization | http | standard | Section 4.1 |
461 | Proxy-Authenticate | http | standard | Section 4.2 |
462 | Proxy-Authorization | http | standard | Section 4.3 |
463 | WWW-Authenticate | http | standard | Section 4.4 |
464 +---------------------+----------+----------+-------------+
466 The change controller is: "IETF (iesg@ietf.org) - Internet
467 Engineering Task Force".
469 6. Security Considerations
471 This section is meant to inform application developers, information
472 providers, and users of the security limitations in HTTP/1.1 as
473 described by this document. The discussion does not include
474 definitive solutions to the problems revealed, though it does make
475 some suggestions for reducing security risks.
477 6.1. Authentication Credentials and Idle Clients
479 Existing HTTP clients and user agents typically retain authentication
480 information indefinitely. HTTP/1.1 does not provide a method for a
481 server to direct clients to discard these cached credentials. This
482 is a significant defect that requires further extensions to HTTP.
483 Circumstances under which credential caching can interfere with the
484 application's security model include but are not limited to:
486 o Clients which have been idle for an extended period following
487 which the server might wish to cause the client to reprompt the
488 user for credentials.
490 o Applications which include a session termination indication (such
491 as a "logout" or "commit" button on a page) after which the server
492 side of the application "knows" that there is no further reason
493 for the client to retain the credentials.
495 This is currently under separate study. There are a number of work-
496 arounds to parts of this problem, and we encourage the use of
497 password protection in screen savers, idle time-outs, and other
498 methods which mitigate the security problems inherent in this
499 problem. In particular, user agents which cache credentials are
500 encouraged to provide a readily accessible mechanism for discarding
501 cached credentials under user control.
503 7. Acknowledgments
505 This specification takes over the definition of the HTTP
506 Authentication Framework, previously defined in RFC 2617. We thank
507 to John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott
508 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for
509 their work on that specification.
511 [[acks: HTTPbis acknowledgements.]]
513 8. References
515 8.1. Normative References
517 [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
518 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
519 and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections,
520 and Message Parsing", draft-ietf-httpbis-p1-messaging-15
521 (work in progress), July 2011.
523 [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H.,
524 Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed.,
525 Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part
526 6: Caching", draft-ietf-httpbis-p6-cache-15 (work in
527 progress), July 2011.
529 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
530 Requirement Levels", BCP 14, RFC 2119, March 1997.
532 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
533 Specifications: ABNF", STD 68, RFC 5234, January 2008.
535 8.2. Informative References
537 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
538 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
539 Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
541 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
542 Leach, P., Luotonen, A., and L. Stewart, "HTTP
543 Authentication: Basic and Digest Access Authentication",
544 RFC 2617, June 1999.
546 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
547 Procedures for Message Header Fields", BCP 90, RFC 3864,
548 September 2004.
550 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
551 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
552 May 2008.
554 Appendix A. Changes from RFC 2616
556 Change ABNF productions for header fields to only define the field
557 value. (Section 4)
559 Appendix B. Collected ABNF
561 Authorization = credentials
563 OWS =
565 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS
566 challenge ] )
567 Proxy-Authorization = credentials
569 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
570 ] )
572 auth-param = token "=" ( token / quoted-string )
573 auth-scheme = token
575 challenge = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS
576 auth-param ] )
577 credentials = auth-scheme ( token / quoted-string / [ ( "," /
578 auth-param ) *( OWS "," [ OWS auth-param ] ) ] )
580 quoted-string =
582 realm = "realm=" realm-value
583 realm-value = quoted-string
585 token =
587 ABNF diagnostics:
589 ; Authorization defined but not used
590 ; Proxy-Authenticate defined but not used
591 ; Proxy-Authorization defined but not used
592 ; WWW-Authenticate defined but not used
593 ; realm defined but not used
595 Appendix C. Change Log (to be removed by RFC Editor before publication)
597 C.1. Since RFC 2616
599 Extracted relevant partitions from [RFC2616].
601 C.2. Since draft-ietf-httpbis-p7-auth-00
603 Closed issues:
605 o : "Normative and
606 Informative references"
608 C.3. Since draft-ietf-httpbis-p7-auth-01
610 Ongoing work on ABNF conversion
611 ():
613 o Explicitly import BNF rules for "challenge" and "credentials" from
614 RFC2617.
616 o Add explicit references to BNF syntax and rules imported from
617 other parts of the specification.
619 C.4. Since draft-ietf-httpbis-p7-auth-02
621 Ongoing work on IANA Message Header Field Registration
622 ():
624 o Reference RFC 3984, and update header field registrations for
625 header fields defined in this document.
627 C.5. Since draft-ietf-httpbis-p7-auth-03
629 C.6. Since draft-ietf-httpbis-p7-auth-04
631 Ongoing work on ABNF conversion
632 ():
634 o Use "/" instead of "|" for alternatives.
636 o Introduce new ABNF rules for "bad" whitespace ("BWS"), optional
637 whitespace ("OWS") and required whitespace ("RWS").
639 o Rewrite ABNFs to spell out whitespace rules, factor out header
640 field value format definitions.
642 C.7. Since draft-ietf-httpbis-p7-auth-05
644 Final work on ABNF conversion
645 ():
647 o Add appendix containing collected and expanded ABNF, reorganize
648 ABNF introduction.
650 C.8. Since draft-ietf-httpbis-p7-auth-06
652 None.
654 C.9. Since draft-ietf-httpbis-p7-auth-07
656 Closed issues:
658 o : "move IANA
659 registrations for optional status codes"
661 C.10. Since draft-ietf-httpbis-p7-auth-08
663 No significant changes.
665 C.11. Since draft-ietf-httpbis-p7-auth-09
667 Partly resolved issues:
669 o : "Term for the
670 requested resource's URI"
672 C.12. Since draft-ietf-httpbis-p7-auth-10
674 None.
676 C.13. Since draft-ietf-httpbis-p7-auth-11
678 Closed issues:
680 o : "introduction
681 to part 7 is work-in-progress"
683 o : "auth-param
684 syntax"
686 o : "Header
687 Classification"
689 o : "absorbing the
690 auth framework from 2617"
692 Partly resolved issues:
694 o : "should we
695 have an auth scheme registry"
697 C.14. Since draft-ietf-httpbis-p7-auth-12
699 None.
701 C.15. Since draft-ietf-httpbis-p7-auth-13
703 Closed issues:
705 o : "untangle
706 ABNFs for header fields"
708 C.16. Since draft-ietf-httpbis-p7-auth-14
710 None.
712 Index
714 4
715 401 Unauthorized (status code) 7
716 407 Proxy Authentication Required (status code) 7
718 A
719 auth-param 5
720 auth-scheme 5
721 Authorization header field 8
723 C
724 challenge 5
725 credentials 6
727 G
728 Grammar
729 Authorization 8
730 Proxy-Authenticate 9
731 Proxy-Authorization 9
732 WWW-Authenticate 9
734 H
735 Header Fields
736 Authorization 8
737 Proxy-Authenticate 9
738 Proxy-Authorization 9
739 WWW-Authenticate 9
741 P
742 Proxy-Authenticate header field 9
743 Proxy-Authorization header field 9
745 R
746 realm 5
747 realm-value 5
749 S
750 Status Codes
751 401 Unauthorized 7
752 407 Proxy Authentication Required 7
754 W
755 WWW-Authenticate header field 9
757 Authors' Addresses
759 Roy T. Fielding (editor)
760 Adobe Systems Incorporated
761 345 Park Ave
762 San Jose, CA 95110
763 USA
765 EMail: fielding@gbiv.com
766 URI: http://roy.gbiv.com/
768 Jim Gettys
769 Alcatel-Lucent Bell Labs
770 21 Oak Knoll Road
771 Carlisle, MA 01741
772 USA
774 EMail: jg@freedesktop.org
775 URI: http://gettys.wordpress.com/
777 Jeffrey C. Mogul
778 Hewlett-Packard Company
779 HP Labs, Large Scale Systems Group
780 1501 Page Mill Road, MS 1177
781 Palo Alto, CA 94304
782 USA
784 EMail: JeffMogul@acm.org
786 Henrik Frystyk Nielsen
787 Microsoft Corporation
788 1 Microsoft Way
789 Redmond, WA 98052
790 USA
792 EMail: henrikn@microsoft.com
793 Larry Masinter
794 Adobe Systems Incorporated
795 345 Park Ave
796 San Jose, CA 95110
797 USA
799 EMail: LMM@acm.org
800 URI: http://larry.masinter.net/
802 Paul J. Leach
803 Microsoft Corporation
804 1 Microsoft Way
805 Redmond, WA 98052
807 EMail: paulle@microsoft.com
809 Tim Berners-Lee
810 World Wide Web Consortium
811 MIT Computer Science and Artificial Intelligence Laboratory
812 The Stata Center, Building 32
813 32 Vassar Street
814 Cambridge, MA 02139
815 USA
817 EMail: timbl@w3.org
818 URI: http://www.w3.org/People/Berners-Lee/
820 Yves Lafon (editor)
821 World Wide Web Consortium
822 W3C / ERCIM
823 2004, rte des Lucioles
824 Sophia-Antipolis, AM 06902
825 France
827 EMail: ylafon@w3.org
828 URI: http://www.raubacapeu.net/people/yves/
829 Julian F. Reschke (editor)
830 greenbytes GmbH
831 Hafenweg 16
832 Muenster, NW 48155
833 Germany
835 Phone: +49 251 2807760
836 Fax: +49 251 2807761
837 EMail: julian.reschke@greenbytes.de
838 URI: http://greenbytes.de/tech/webdav/