1 | <!DOCTYPE html |
---|
2 | PUBLIC "-//W3C//DTD HTML 4.01//EN"> |
---|
3 | <html lang="en"> |
---|
4 | <head profile="http://dublincore.org/documents/2008/08/04/dc-html/"> |
---|
5 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
---|
6 | <title>HTTP/1.1, part 7: Authentication</title><style type="text/css" title="Xml2Rfc (sans serif)"> |
---|
7 | a { |
---|
8 | text-decoration: none; |
---|
9 | } |
---|
10 | a.smpl { |
---|
11 | color: black; |
---|
12 | } |
---|
13 | a:hover { |
---|
14 | text-decoration: underline; |
---|
15 | } |
---|
16 | a:active { |
---|
17 | text-decoration: underline; |
---|
18 | } |
---|
19 | address { |
---|
20 | margin-top: 1em; |
---|
21 | margin-left: 2em; |
---|
22 | font-style: normal; |
---|
23 | } |
---|
24 | body { |
---|
25 | color: black; |
---|
26 | font-family: cambria, helvetica, arial, sans-serif; |
---|
27 | font-size: 11pt; |
---|
28 | margin-right: 2em; |
---|
29 | } |
---|
30 | cite { |
---|
31 | font-style: normal; |
---|
32 | } |
---|
33 | dl { |
---|
34 | margin-left: 2em; |
---|
35 | } |
---|
36 | ul.empty { |
---|
37 | list-style-type: none; |
---|
38 | } |
---|
39 | ul.empty li { |
---|
40 | margin-top: .5em; |
---|
41 | } |
---|
42 | dl p { |
---|
43 | margin-left: 0em; |
---|
44 | } |
---|
45 | dt { |
---|
46 | margin-top: .5em; |
---|
47 | } |
---|
48 | h1 { |
---|
49 | font-size: 130%; |
---|
50 | line-height: 21pt; |
---|
51 | page-break-after: avoid; |
---|
52 | } |
---|
53 | h1.np { |
---|
54 | page-break-before: always; |
---|
55 | } |
---|
56 | h2 { |
---|
57 | font-size: 120%; |
---|
58 | line-height: 15pt; |
---|
59 | page-break-after: avoid; |
---|
60 | } |
---|
61 | h3 { |
---|
62 | font-size: 110%; |
---|
63 | page-break-after: avoid; |
---|
64 | } |
---|
65 | h4, h5, h6 { |
---|
66 | page-break-after: avoid; |
---|
67 | } |
---|
68 | h1 a, h2 a, h3 a, h4 a, h5 a, h6 a { |
---|
69 | color: black; |
---|
70 | } |
---|
71 | img { |
---|
72 | margin-left: 3em; |
---|
73 | } |
---|
74 | li { |
---|
75 | margin-left: 2em; |
---|
76 | } |
---|
77 | ol { |
---|
78 | margin-left: 2em; |
---|
79 | } |
---|
80 | ol.la { |
---|
81 | list-style-type: lower-alpha; |
---|
82 | } |
---|
83 | ol.ua { |
---|
84 | list-style-type: upper-alpha; |
---|
85 | } |
---|
86 | ol p { |
---|
87 | margin-left: 0em; |
---|
88 | } |
---|
89 | p { |
---|
90 | margin-left: 2em; |
---|
91 | } |
---|
92 | pre { |
---|
93 | margin-left: 3em; |
---|
94 | background-color: lightyellow; |
---|
95 | padding: .25em; |
---|
96 | page-break-inside: avoid; |
---|
97 | } |
---|
98 | pre.text2 { |
---|
99 | border-style: dotted; |
---|
100 | border-width: 1px; |
---|
101 | background-color: #f0f0f0; |
---|
102 | width: 69em; |
---|
103 | } |
---|
104 | pre.inline { |
---|
105 | background-color: white; |
---|
106 | padding: 0em; |
---|
107 | } |
---|
108 | pre.text { |
---|
109 | border-style: dotted; |
---|
110 | border-width: 1px; |
---|
111 | background-color: #f8f8f8; |
---|
112 | width: 69em; |
---|
113 | } |
---|
114 | pre.drawing { |
---|
115 | border-style: solid; |
---|
116 | border-width: 1px; |
---|
117 | background-color: #f8f8f8; |
---|
118 | padding: 2em; |
---|
119 | } |
---|
120 | table { |
---|
121 | margin-left: 2em; |
---|
122 | } |
---|
123 | table.header { |
---|
124 | border-spacing: 1px; |
---|
125 | width: 95%; |
---|
126 | font-size: 11pt; |
---|
127 | color: white; |
---|
128 | } |
---|
129 | td.top { |
---|
130 | vertical-align: top; |
---|
131 | } |
---|
132 | td.topnowrap { |
---|
133 | vertical-align: top; |
---|
134 | white-space: nowrap; |
---|
135 | } |
---|
136 | table.header td { |
---|
137 | background-color: gray; |
---|
138 | width: 50%; |
---|
139 | } |
---|
140 | table.header a { |
---|
141 | color: white; |
---|
142 | } |
---|
143 | td.reference { |
---|
144 | vertical-align: top; |
---|
145 | white-space: nowrap; |
---|
146 | padding-right: 1em; |
---|
147 | } |
---|
148 | thead { |
---|
149 | display:table-header-group; |
---|
150 | } |
---|
151 | ul.toc, ul.toc ul { |
---|
152 | list-style: none; |
---|
153 | margin-left: 1.5em; |
---|
154 | padding-left: 0em; |
---|
155 | } |
---|
156 | ul.toc li { |
---|
157 | line-height: 150%; |
---|
158 | font-weight: bold; |
---|
159 | margin-left: 0em; |
---|
160 | } |
---|
161 | ul.toc li li { |
---|
162 | line-height: normal; |
---|
163 | font-weight: normal; |
---|
164 | font-size: 10pt; |
---|
165 | margin-left: 0em; |
---|
166 | } |
---|
167 | li.excluded { |
---|
168 | font-size: 0pt; |
---|
169 | } |
---|
170 | ul p { |
---|
171 | margin-left: 0em; |
---|
172 | } |
---|
173 | .title, .filename, h1, h2, h3, h4 { |
---|
174 | font-family: candara, helvetica, arial, sans-serif; |
---|
175 | } |
---|
176 | samp, tt, code, pre { |
---|
177 | font: consolas, monospace; |
---|
178 | } |
---|
179 | ul.ind, ul.ind ul { |
---|
180 | list-style: none; |
---|
181 | margin-left: 1.5em; |
---|
182 | padding-left: 0em; |
---|
183 | page-break-before: avoid; |
---|
184 | } |
---|
185 | ul.ind li { |
---|
186 | font-weight: bold; |
---|
187 | line-height: 200%; |
---|
188 | margin-left: 0em; |
---|
189 | } |
---|
190 | ul.ind li li { |
---|
191 | font-weight: normal; |
---|
192 | line-height: 150%; |
---|
193 | margin-left: 0em; |
---|
194 | } |
---|
195 | .avoidbreak { |
---|
196 | page-break-inside: avoid; |
---|
197 | } |
---|
198 | .bcp14 { |
---|
199 | font-style: normal; |
---|
200 | text-transform: lowercase; |
---|
201 | font-variant: small-caps; |
---|
202 | } |
---|
203 | .comment { |
---|
204 | background-color: yellow; |
---|
205 | } |
---|
206 | .center { |
---|
207 | text-align: center; |
---|
208 | } |
---|
209 | .error { |
---|
210 | color: red; |
---|
211 | font-style: italic; |
---|
212 | font-weight: bold; |
---|
213 | } |
---|
214 | .figure { |
---|
215 | font-weight: bold; |
---|
216 | text-align: center; |
---|
217 | font-size: 10pt; |
---|
218 | } |
---|
219 | .filename { |
---|
220 | color: #333333; |
---|
221 | font-size: 75%; |
---|
222 | font-weight: bold; |
---|
223 | line-height: 21pt; |
---|
224 | text-align: center; |
---|
225 | } |
---|
226 | .fn { |
---|
227 | font-weight: bold; |
---|
228 | } |
---|
229 | .left { |
---|
230 | text-align: left; |
---|
231 | } |
---|
232 | .right { |
---|
233 | text-align: right; |
---|
234 | } |
---|
235 | .title { |
---|
236 | color: green; |
---|
237 | font-size: 150%; |
---|
238 | line-height: 18pt; |
---|
239 | font-weight: bold; |
---|
240 | text-align: center; |
---|
241 | margin-top: 36pt; |
---|
242 | } |
---|
243 | .warning { |
---|
244 | font-size: 130%; |
---|
245 | background-color: yellow; |
---|
246 | } |
---|
247 | |
---|
248 | |
---|
249 | @media print { |
---|
250 | .noprint { |
---|
251 | display: none; |
---|
252 | } |
---|
253 | |
---|
254 | a { |
---|
255 | color: black; |
---|
256 | text-decoration: none; |
---|
257 | } |
---|
258 | |
---|
259 | table.header { |
---|
260 | width: 90%; |
---|
261 | } |
---|
262 | |
---|
263 | td.header { |
---|
264 | width: 50%; |
---|
265 | color: black; |
---|
266 | background-color: white; |
---|
267 | vertical-align: top; |
---|
268 | font-size: 110%; |
---|
269 | } |
---|
270 | |
---|
271 | ul.toc a:nth-child(2)::after { |
---|
272 | content: leader('.') target-counter(attr(href), page); |
---|
273 | } |
---|
274 | |
---|
275 | ul.ind li li a { |
---|
276 | content: target-counter(attr(href), page); |
---|
277 | } |
---|
278 | |
---|
279 | .print2col { |
---|
280 | column-count: 2; |
---|
281 | -moz-column-count: 2; |
---|
282 | column-fill: auto; |
---|
283 | } |
---|
284 | } |
---|
285 | |
---|
286 | @page { |
---|
287 | @top-left { |
---|
288 | content: "Internet-Draft"; |
---|
289 | } |
---|
290 | @top-right { |
---|
291 | content: "February 2008"; |
---|
292 | } |
---|
293 | @top-center { |
---|
294 | content: "HTTP/1.1, Part 7"; |
---|
295 | } |
---|
296 | @bottom-left { |
---|
297 | content: "Fielding, et al."; |
---|
298 | } |
---|
299 | @bottom-center { |
---|
300 | content: "Expires August 27, 2008"; |
---|
301 | } |
---|
302 | @bottom-right { |
---|
303 | content: "[Page " counter(page) "]"; |
---|
304 | } |
---|
305 | } |
---|
306 | |
---|
307 | @page:first { |
---|
308 | @top-left { |
---|
309 | content: normal; |
---|
310 | } |
---|
311 | @top-right { |
---|
312 | content: normal; |
---|
313 | } |
---|
314 | @top-center { |
---|
315 | content: normal; |
---|
316 | } |
---|
317 | } |
---|
318 | </style><link rel="Contents" href="#rfc.toc"> |
---|
319 | <link rel="Author" href="#rfc.authors"> |
---|
320 | <link rel="Copyright" href="#rfc.copyright"> |
---|
321 | <link rel="Index" href="#rfc.index"> |
---|
322 | <link rel="Chapter" title="1 Introduction" href="#rfc.section.1"> |
---|
323 | <link rel="Chapter" title="2 Notational Conventions and Generic Grammar" href="#rfc.section.2"> |
---|
324 | <link rel="Chapter" title="3 Status Code Definitions" href="#rfc.section.3"> |
---|
325 | <link rel="Chapter" title="4 Header Field Definitions" href="#rfc.section.4"> |
---|
326 | <link rel="Chapter" title="5 IANA Considerations" href="#rfc.section.5"> |
---|
327 | <link rel="Chapter" title="6 Security Considerations" href="#rfc.section.6"> |
---|
328 | <link rel="Chapter" title="7 Acknowledgments" href="#rfc.section.7"> |
---|
329 | <link rel="Chapter" href="#rfc.section.8" title="8 References"> |
---|
330 | <link rel="Appendix" title="A Compatibility with Previous Versions" href="#rfc.section.A"> |
---|
331 | <link rel="Appendix" title="B Change Log (to be removed by RFC Editor before publication)" href="#rfc.section.B"> |
---|
332 | <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.640, 2014/06/13 12:42:58, XSLT vendor: SAXON 8.9 from Saxonica http://www.saxonica.com/"> |
---|
333 | <link rel="schema.dct" href="http://purl.org/dc/terms/"> |
---|
334 | <meta name="dct.creator" content="Fielding, R."> |
---|
335 | <meta name="dct.creator" content="Gettys, J."> |
---|
336 | <meta name="dct.creator" content="Mogul, J."> |
---|
337 | <meta name="dct.creator" content="Frystyk, H."> |
---|
338 | <meta name="dct.creator" content="Masinter, L."> |
---|
339 | <meta name="dct.creator" content="Leach, P."> |
---|
340 | <meta name="dct.creator" content="Berners-Lee, T."> |
---|
341 | <meta name="dct.creator" content="Lafon, Y."> |
---|
342 | <meta name="dct.creator" content="Reschke, J. F."> |
---|
343 | <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-02"> |
---|
344 | <meta name="dct.issued" scheme="ISO8601" content="2008-02-24"> |
---|
345 | <meta name="dct.replaces" content="urn:ietf:rfc:2616"> |
---|
346 | <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines HTTP Authentication."> |
---|
347 | <meta name="description" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines HTTP Authentication."> |
---|
348 | </head> |
---|
349 | <body> |
---|
350 | <table class="header"> |
---|
351 | <tbody> |
---|
352 | <tr> |
---|
353 | <td class="left">Network Working Group</td> |
---|
354 | <td class="right">R. Fielding, Editor</td> |
---|
355 | </tr> |
---|
356 | <tr> |
---|
357 | <td class="left">Internet-Draft</td> |
---|
358 | <td class="right">Day Software</td> |
---|
359 | </tr> |
---|
360 | <tr> |
---|
361 | <td class="left">Obsoletes: <a href="https://tools.ietf.org/html/rfc2616">2616</a> (if approved) |
---|
362 | </td> |
---|
363 | <td class="right">J. Gettys</td> |
---|
364 | </tr> |
---|
365 | <tr> |
---|
366 | <td class="left">Updates: <a href="https://tools.ietf.org/html/rfc2617">2617</a> (if approved) |
---|
367 | </td> |
---|
368 | <td class="right">One Laptop per Child</td> |
---|
369 | </tr> |
---|
370 | <tr> |
---|
371 | <td class="left">Intended status: Standards Track</td> |
---|
372 | <td class="right">J. Mogul</td> |
---|
373 | </tr> |
---|
374 | <tr> |
---|
375 | <td class="left">Expires: August 27, 2008</td> |
---|
376 | <td class="right">HP</td> |
---|
377 | </tr> |
---|
378 | <tr> |
---|
379 | <td class="left"></td> |
---|
380 | <td class="right">H. Frystyk</td> |
---|
381 | </tr> |
---|
382 | <tr> |
---|
383 | <td class="left"></td> |
---|
384 | <td class="right">Microsoft</td> |
---|
385 | </tr> |
---|
386 | <tr> |
---|
387 | <td class="left"></td> |
---|
388 | <td class="right">L. Masinter</td> |
---|
389 | </tr> |
---|
390 | <tr> |
---|
391 | <td class="left"></td> |
---|
392 | <td class="right">Adobe Systems</td> |
---|
393 | </tr> |
---|
394 | <tr> |
---|
395 | <td class="left"></td> |
---|
396 | <td class="right">P. Leach</td> |
---|
397 | </tr> |
---|
398 | <tr> |
---|
399 | <td class="left"></td> |
---|
400 | <td class="right">Microsoft</td> |
---|
401 | </tr> |
---|
402 | <tr> |
---|
403 | <td class="left"></td> |
---|
404 | <td class="right">T. Berners-Lee</td> |
---|
405 | </tr> |
---|
406 | <tr> |
---|
407 | <td class="left"></td> |
---|
408 | <td class="right">W3C/MIT</td> |
---|
409 | </tr> |
---|
410 | <tr> |
---|
411 | <td class="left"></td> |
---|
412 | <td class="right">Y. Lafon, Editor</td> |
---|
413 | </tr> |
---|
414 | <tr> |
---|
415 | <td class="left"></td> |
---|
416 | <td class="right">W3C</td> |
---|
417 | </tr> |
---|
418 | <tr> |
---|
419 | <td class="left"></td> |
---|
420 | <td class="right">J. Reschke, Editor</td> |
---|
421 | </tr> |
---|
422 | <tr> |
---|
423 | <td class="left"></td> |
---|
424 | <td class="right">greenbytes</td> |
---|
425 | </tr> |
---|
426 | <tr> |
---|
427 | <td class="left"></td> |
---|
428 | <td class="right">February 24, 2008</td> |
---|
429 | </tr> |
---|
430 | </tbody> |
---|
431 | </table> |
---|
432 | <p class="title">HTTP/1.1, part 7: Authentication<br><span class="filename">draft-ietf-httpbis-p7-auth-02</span></p> |
---|
433 | <div id="rfc.status"> |
---|
434 | <h1><a href="#rfc.status">Status of this Memo</a></h1> |
---|
435 | <p>By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she |
---|
436 | is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section |
---|
437 | 6 of BCP 79. |
---|
438 | </p> |
---|
439 | <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note |
---|
440 | that other groups may also distribute working documents as Internet-Drafts. |
---|
441 | </p> |
---|
442 | <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other |
---|
443 | documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work |
---|
444 | in progress”. |
---|
445 | </p> |
---|
446 | <p>The list of current Internet-Drafts can be accessed at <a href="http://www.ietf.org/ietf/1id-abstracts.txt">http://www.ietf.org/ietf/1id-abstracts.txt</a>. |
---|
447 | </p> |
---|
448 | <p>The list of Internet-Draft Shadow Directories can be accessed at <a href="http://www.ietf.org/shadow.html">http://www.ietf.org/shadow.html</a>. |
---|
449 | </p> |
---|
450 | <p>This Internet-Draft will expire on August 27, 2008.</p> |
---|
451 | </div> |
---|
452 | <h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1> |
---|
453 | <p>The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information |
---|
454 | systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the |
---|
455 | seven-part specification that defines the protocol referred to as "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part |
---|
456 | 7 defines HTTP Authentication. |
---|
457 | </p> |
---|
458 | <h1 id="rfc.note.1"><a href="#rfc.note.1">Editorial Note (To be removed by RFC Editor)</a></h1> |
---|
459 | <p>Discussion of this draft should take place on the HTTPBIS working group mailing list (ietf-http-wg@w3.org). The current issues |
---|
460 | list is at <<a href="http://www.tools.ietf.org/wg/httpbis/trac/report/11">http://www.tools.ietf.org/wg/httpbis/trac/report/11</a>> and related documents (including fancy diffs) can be found at <<a href="http://www.tools.ietf.org/wg/httpbis/">http://www.tools.ietf.org/wg/httpbis/</a>>. |
---|
461 | </p> |
---|
462 | <p>This draft incorporates those issue resolutions that were either collected in the original RFC2616 errata list (<<a href="http://purl.org/NET/http-errata">http://purl.org/NET/http-errata</a>>), or which were agreed upon on the mailing list between October 2006 and November 2007 (as published in "draft-lafon-rfc2616bis-03"). |
---|
463 | </p> |
---|
464 | <hr class="noprint"> |
---|
465 | <h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1> |
---|
466 | <ul class="toc"> |
---|
467 | <li><a href="#rfc.section.1">1.</a> <a href="#introduction">Introduction</a><ul> |
---|
468 | <li><a href="#rfc.section.1.1">1.1</a> <a href="#intro.requirements">Requirements</a></li> |
---|
469 | </ul> |
---|
470 | </li> |
---|
471 | <li><a href="#rfc.section.2">2.</a> <a href="#notation">Notational Conventions and Generic Grammar</a></li> |
---|
472 | <li><a href="#rfc.section.3">3.</a> <a href="#rfc.section.3">Status Code Definitions</a><ul> |
---|
473 | <li><a href="#rfc.section.3.1">3.1</a> <a href="#status.401">401 Unauthorized</a></li> |
---|
474 | <li><a href="#rfc.section.3.2">3.2</a> <a href="#status.407">407 Proxy Authentication Required</a></li> |
---|
475 | </ul> |
---|
476 | </li> |
---|
477 | <li><a href="#rfc.section.4">4.</a> <a href="#header.fields">Header Field Definitions</a><ul> |
---|
478 | <li><a href="#rfc.section.4.1">4.1</a> <a href="#header.authorization">Authorization</a></li> |
---|
479 | <li><a href="#rfc.section.4.2">4.2</a> <a href="#header.proxy-authenticate">Proxy-Authenticate</a></li> |
---|
480 | <li><a href="#rfc.section.4.3">4.3</a> <a href="#header.proxy-authorization">Proxy-Authorization</a></li> |
---|
481 | <li><a href="#rfc.section.4.4">4.4</a> <a href="#header.www-authenticate">WWW-Authenticate</a></li> |
---|
482 | </ul> |
---|
483 | </li> |
---|
484 | <li><a href="#rfc.section.5">5.</a> <a href="#IANA.considerations">IANA Considerations</a></li> |
---|
485 | <li><a href="#rfc.section.6">6.</a> <a href="#security.considerations">Security Considerations</a><ul> |
---|
486 | <li><a href="#rfc.section.6.1">6.1</a> <a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li> |
---|
487 | </ul> |
---|
488 | </li> |
---|
489 | <li><a href="#rfc.section.7">7.</a> <a href="#ack">Acknowledgments</a></li> |
---|
490 | <li><a href="#rfc.section.8">8.</a> <a href="#rfc.references">References</a><ul> |
---|
491 | <li><a href="#rfc.section.8.1">8.1</a> <a href="#rfc.references.1">Normative References</a></li> |
---|
492 | <li><a href="#rfc.section.8.2">8.2</a> <a href="#rfc.references.2">Informative References</a></li> |
---|
493 | </ul> |
---|
494 | </li> |
---|
495 | <li><a href="#rfc.section.A">A.</a> <a href="#compatibility">Compatibility with Previous Versions</a><ul> |
---|
496 | <li><a href="#rfc.section.A.1">A.1</a> <a href="#changes.from.rfc.2616">Changes from RFC 2616</a></li> |
---|
497 | </ul> |
---|
498 | </li> |
---|
499 | <li><a href="#rfc.section.B">B.</a> <a href="#rfc.section.B">Change Log (to be removed by RFC Editor before publication)</a><ul> |
---|
500 | <li><a href="#rfc.section.B.1">B.1</a> <a href="#rfc.section.B.1">Since RFC2616</a></li> |
---|
501 | <li><a href="#rfc.section.B.2">B.2</a> <a href="#rfc.section.B.2">Since draft-ietf-httpbis-p7-auth-00</a></li> |
---|
502 | <li><a href="#rfc.section.B.3">B.3</a> <a href="#rfc.section.B.3">Since draft-ietf-httpbis-p7-auth-01</a></li> |
---|
503 | </ul> |
---|
504 | </li> |
---|
505 | <li><a href="#rfc.index">Index</a></li> |
---|
506 | <li><a href="#rfc.authors">Authors' Addresses</a></li> |
---|
507 | <li><a href="#rfc.ipr">Intellectual Property and Copyright Statements</a></li> |
---|
508 | </ul> |
---|
509 | <div id="introduction"> |
---|
510 | <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a> <a href="#introduction">Introduction</a></h1> |
---|
511 | <p id="rfc.section.1.p.1">This document defines HTTP/1.1 access control and authentication. Right now it includes the extracted relevant sections of <cite title="Hypertext Transfer Protocol -- HTTP/1.1" id="rfc.xref.RFC2616.1">RFC 2616</cite> with only minor changes. The intention is to move the general framework for HTTP authentication here, as currently specified |
---|
512 | in <a href="#RFC2617" id="rfc.xref.RFC2617.1"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, and allow the individual authentication mechanisms to be defined elsewhere. This introduction will be rewritten when that |
---|
513 | occurs. |
---|
514 | </p> |
---|
515 | <p id="rfc.section.1.p.2">HTTP provides several <em class="bcp14">OPTIONAL</em> challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to |
---|
516 | provide authentication information. The general framework for access authentication, and the specification of "basic" and |
---|
517 | "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification. |
---|
518 | </p> |
---|
519 | <div id="intro.requirements"> |
---|
520 | <h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a> <a href="#intro.requirements">Requirements</a></h2> |
---|
521 | <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" |
---|
522 | in this document are to be interpreted as described in <a href="#RFC2119" id="rfc.xref.RFC2119.1"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>. |
---|
523 | </p> |
---|
524 | <p id="rfc.section.1.1.p.2">An implementation is not compliant if it fails to satisfy one or more of the <em class="bcp14">MUST</em> or <em class="bcp14">REQUIRED</em> level requirements for the protocols it implements. An implementation that satisfies all the <em class="bcp14">MUST</em> or <em class="bcp14">REQUIRED</em> level and all the <em class="bcp14">SHOULD</em> level requirements for its protocols is said to be "unconditionally compliant"; one that satisfies all the <em class="bcp14">MUST</em> level requirements but not all the <em class="bcp14">SHOULD</em> level requirements for its protocols is said to be "conditionally compliant." |
---|
525 | </p> |
---|
526 | </div> |
---|
527 | </div> |
---|
528 | <div id="notation"> |
---|
529 | <h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#notation">Notational Conventions and Generic Grammar</a></h1> |
---|
530 | <p id="rfc.section.2.p.1">This specification uses the ABNF syntax defined in <a href="p1-messaging.html#notation.abnf" title="Augmented BNF">Section 2.1</a> of <a href="#Part1" id="rfc.xref.Part1.1"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>. <span class="comment" id="abnf.dep">[<a href="#abnf.dep" class="smpl">abnf.dep</a>: ABNF syntax and basic rules will be adopted from RFC 5234, see <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/36">http://tools.ietf.org/wg/httpbis/trac/ticket/36</a>>.]</span> |
---|
531 | </p> |
---|
532 | <div id="abnf.dependencies"> |
---|
533 | <p id="rfc.section.2.p.2">The ABNF rules below are defined in other specifications:</p> |
---|
534 | </div> |
---|
535 | <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span> challenge = <challenge, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="https://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>> |
---|
536 | credentials = <credentials, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="https://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>> |
---|
537 | </pre></div> |
---|
538 | <div> |
---|
539 | <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> Status Code Definitions |
---|
540 | </h1> |
---|
541 | <div id="status.401"> |
---|
542 | <div id="rfc.iref.4.1"></div> |
---|
543 | <div id="rfc.iref.s.1"></div> |
---|
544 | <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a> <a href="#status.401">401 Unauthorized</a></h2> |
---|
545 | <p id="rfc.section.3.1.p.1">The request requires user authentication. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field (<a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.1" title="WWW-Authenticate">Section 4.4</a>) containing a challenge applicable to the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Authorization header field (<a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section 4.1</a>). If the request already included Authorization credentials, then the 401 response indicates that authorization has been |
---|
546 | refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has |
---|
547 | already attempted authentication at least once, then the user <em class="bcp14">SHOULD</em> be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP |
---|
548 | access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. |
---|
549 | </p> |
---|
550 | </div> |
---|
551 | <div id="status.407"> |
---|
552 | <div id="rfc.iref.4.2"></div> |
---|
553 | <div id="rfc.iref.s.2"></div> |
---|
554 | <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a> <a href="#status.407">407 Proxy Authentication Required</a></h2> |
---|
555 | <p id="rfc.section.3.2.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy. The |
---|
556 | proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section 4.2</a>) containing a challenge applicable to the proxy for the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section 4.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. |
---|
557 | </p> |
---|
558 | </div> |
---|
559 | </div> |
---|
560 | <div id="header.fields"> |
---|
561 | <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a> <a href="#header.fields">Header Field Definitions</a></h1> |
---|
562 | <p id="rfc.section.4.p.1">This section defines the syntax and semantics of HTTP/1.1 header fields related to authentication.</p> |
---|
563 | <div id="header.authorization"> |
---|
564 | <div id="rfc.iref.a.1"></div> |
---|
565 | <div id="rfc.iref.h.1"></div> |
---|
566 | <h2 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1</a> <a href="#header.authorization">Authorization</a></h2> |
---|
567 | <p id="rfc.section.4.1.p.1">A user agent that wishes to authenticate itself with a server-- usually, but not necessarily, after receiving a 401 response--does |
---|
568 | so by including an Authorization request-header field with the request. The Authorization field value consists of credentials |
---|
569 | containing the authentication information of the user agent for the realm of the resource being requested. |
---|
570 | </p> |
---|
571 | <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.3"></span> Authorization = "Authorization" ":" credentials |
---|
572 | </pre><p id="rfc.section.4.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, |
---|
573 | such as credentials that vary according to a challenge value or using synchronized clocks). |
---|
574 | </p> |
---|
575 | <p id="rfc.section.4.1.p.4">When a shared cache (see <a href="p6-cache.html#shared.and.non-shared.caches" title="Shared and Non-Shared Caches">Section 9</a> of <a href="#Part6" id="rfc.xref.Part6.1"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>) receives a request containing an Authorization field, it <em class="bcp14">MUST NOT</em> return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: |
---|
576 | </p> |
---|
577 | <p id="rfc.section.4.1.p.5"></p> |
---|
578 | <ol> |
---|
579 | <li>If the response includes the "s-maxage" cache-control directive, the cache <em class="bcp14">MAY</em> use that response in replying to a subsequent request. But (if the specified maximum age has passed) a proxy cache <em class="bcp14">MUST</em> first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate |
---|
580 | the new request. (This is the defined behavior for s-maxage.) If the response includes "s-maxage=0", the proxy <em class="bcp14">MUST</em> always revalidate it before re-using it. |
---|
581 | </li> |
---|
582 | <li>If the response includes the "must-revalidate" cache-control directive, the cache <em class="bcp14">MAY</em> use that response in replying to a subsequent request. But if the response is stale, all caches <em class="bcp14">MUST</em> first revalidate it with the origin server, using the request-headers from the new request to allow the origin server to authenticate |
---|
583 | the new request. |
---|
584 | </li> |
---|
585 | <li>If the response includes the "public" cache-control directive, it <em class="bcp14">MAY</em> be returned in reply to any subsequent request. |
---|
586 | </li> |
---|
587 | </ol> |
---|
588 | </div> |
---|
589 | <div id="header.proxy-authenticate"> |
---|
590 | <div id="rfc.iref.p.1"></div> |
---|
591 | <div id="rfc.iref.h.2"></div> |
---|
592 | <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a> <a href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> |
---|
593 | <p id="rfc.section.4.2.p.1">The Proxy-Authenticate response-header field <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. The field value consists of a challenge that indicates |
---|
594 | the authentication scheme and parameters applicable to the proxy for this Request-URI. |
---|
595 | </p> |
---|
596 | <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.4"></span> Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge |
---|
597 | </pre><p id="rfc.section.4.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting |
---|
598 | them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate |
---|
599 | header field. |
---|
600 | </p> |
---|
601 | </div> |
---|
602 | <div id="header.proxy-authorization"> |
---|
603 | <div id="rfc.iref.p.2"></div> |
---|
604 | <div id="rfc.iref.h.3"></div> |
---|
605 | <h2 id="rfc.section.4.3"><a href="#rfc.section.4.3">4.3</a> <a href="#header.proxy-authorization">Proxy-Authorization</a></h2> |
---|
606 | <p id="rfc.section.4.3.p.1">The Proxy-Authorization request-header field allows the client to identify itself (or its user) to a proxy which requires |
---|
607 | authentication. The Proxy-Authorization field value consists of credentials containing the authentication information of the |
---|
608 | user agent for the proxy and/or realm of the resource being requested. |
---|
609 | </p> |
---|
610 | <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.g.5"></span> Proxy-Authorization = "Proxy-Authorization" ":" credentials |
---|
611 | </pre><p id="rfc.section.4.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.9"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication |
---|
612 | using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed |
---|
613 | by the first outbound proxy that was expecting to receive credentials. A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively |
---|
614 | authenticate a given request. |
---|
615 | </p> |
---|
616 | </div> |
---|
617 | <div id="header.www-authenticate"> |
---|
618 | <div id="rfc.iref.w.1"></div> |
---|
619 | <div id="rfc.iref.h.4"></div> |
---|
620 | <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a> <a href="#header.www-authenticate">WWW-Authenticate</a></h2> |
---|
621 | <p id="rfc.section.4.4.p.1">The WWW-Authenticate response-header field <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. The field value consists of at least one challenge that indicates the |
---|
622 | authentication scheme(s) and parameters applicable to the Request-URI. |
---|
623 | </p> |
---|
624 | <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.6"></span> WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge |
---|
625 | </pre><p id="rfc.section.4.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.10"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one |
---|
626 | challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a |
---|
627 | comma-separated list of authentication parameters. |
---|
628 | </p> |
---|
629 | </div> |
---|
630 | </div> |
---|
631 | <div id="IANA.considerations"> |
---|
632 | <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a> <a href="#IANA.considerations">IANA Considerations</a></h1> |
---|
633 | <p id="rfc.section.5.p.1"><span class="comment" id="rfc.comment.1">[<a href="#rfc.comment.1" class="smpl">rfc.comment.1</a>: TBD.]</span> |
---|
634 | </p> |
---|
635 | </div> |
---|
636 | <div id="security.considerations"> |
---|
637 | <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a> <a href="#security.considerations">Security Considerations</a></h1> |
---|
638 | <p id="rfc.section.6.p.1">This section is meant to inform application developers, information providers, and users of the security limitations in HTTP/1.1 |
---|
639 | as described by this document. The discussion does not include definitive solutions to the problems revealed, though it does |
---|
640 | make some suggestions for reducing security risks. |
---|
641 | </p> |
---|
642 | <div id="auth.credentials.and.idle.clients"> |
---|
643 | <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a> <a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></h2> |
---|
644 | <p id="rfc.section.6.1.p.1">Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide |
---|
645 | a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further |
---|
646 | extensions to HTTP. Circumstances under which credential caching can interfere with the application's security model include |
---|
647 | but are not limited to: |
---|
648 | </p> |
---|
649 | <ul> |
---|
650 | <li>Clients which have been idle for an extended period following which the server might wish to cause the client to reprompt |
---|
651 | the user for credentials. |
---|
652 | </li> |
---|
653 | <li>Applications which include a session termination indication (such as a `logout' or `commit' button on a page) after which |
---|
654 | the server side of the application `knows' that there is no further reason for the client to retain the credentials. |
---|
655 | </li> |
---|
656 | </ul> |
---|
657 | <p id="rfc.section.6.1.p.2">This is currently under separate study. There are a number of work-arounds to parts of this problem, and we encourage the |
---|
658 | use of password protection in screen savers, idle time-outs, and other methods which mitigate the security problems inherent |
---|
659 | in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism |
---|
660 | for discarding cached credentials under user control. |
---|
661 | </p> |
---|
662 | </div> |
---|
663 | </div> |
---|
664 | <div id="ack"> |
---|
665 | <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a> <a href="#ack">Acknowledgments</a></h1> |
---|
666 | <p id="rfc.section.7.p.1">TBD.</p> |
---|
667 | </div> |
---|
668 | <h1 id="rfc.references"><a id="rfc.section.8" href="#rfc.section.8">8.</a> References |
---|
669 | </h1> |
---|
670 | <h2 id="rfc.references.1"><a href="#rfc.section.8.1" id="rfc.section.8.1">8.1</a> Normative References |
---|
671 | </h2> |
---|
672 | <table> |
---|
673 | <tr> |
---|
674 | <td class="reference"><b id="Part1">[Part1]</b></td> |
---|
675 | <td class="top"><a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R., Ed.</a>, <a href="mailto:jg@laptop.org" title="One Laptop per Child">Gettys, J.</a>, <a href="mailto:JeffMogul@acm.org" title="Hewlett-Packard Company">Mogul, J.</a>, <a href="mailto:henrikn@microsoft.com" title="Microsoft Corporation">Frystyk, H.</a>, <a href="mailto:LMM@acm.org" title="Adobe Systems, Incorporated">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:ylafon@w3.org" title="World Wide Web Consortium">Lafon, Y., Ed.</a>, and <a href="mailto:julian.reschke@greenbytes.de" title="greenbytes GmbH">J. Reschke, Ed.</a>, “<a href="https://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-02">HTTP/1.1, part 1: URIs, Connections, and Message Parsing</a>”, Internet-Draft draft-ietf-httpbis-p1-messaging-02 (work in progress), February 2008. |
---|
676 | </td> |
---|
677 | </tr> |
---|
678 | <tr> |
---|
679 | <td class="reference"><b id="Part6">[Part6]</b></td> |
---|
680 | <td class="top"><a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R., Ed.</a>, <a href="mailto:jg@laptop.org" title="One Laptop per Child">Gettys, J.</a>, <a href="mailto:JeffMogul@acm.org" title="Hewlett-Packard Company">Mogul, J.</a>, <a href="mailto:henrikn@microsoft.com" title="Microsoft Corporation">Frystyk, H.</a>, <a href="mailto:LMM@acm.org" title="Adobe Systems, Incorporated">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, <a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:ylafon@w3.org" title="World Wide Web Consortium">Lafon, Y., Ed.</a>, and <a href="mailto:julian.reschke@greenbytes.de" title="greenbytes GmbH">J. Reschke, Ed.</a>, “<a href="https://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-02">HTTP/1.1, part 6: Caching</a>”, Internet-Draft draft-ietf-httpbis-p6-cache-02 (work in progress), February 2008. |
---|
681 | </td> |
---|
682 | </tr> |
---|
683 | <tr> |
---|
684 | <td class="reference"><b id="RFC2119">[RFC2119]</b></td> |
---|
685 | <td class="top"><a href="mailto:sob@harvard.edu" title="Harvard University">Bradner, S.</a>, “<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>”, BCP 14, RFC 2119, March 1997. |
---|
686 | </td> |
---|
687 | </tr> |
---|
688 | <tr> |
---|
689 | <td class="reference"><b id="RFC2617">[RFC2617]</b></td> |
---|
690 | <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC 2617, June 1999. |
---|
691 | </td> |
---|
692 | </tr> |
---|
693 | </table> |
---|
694 | <h2 id="rfc.references.2"><a href="#rfc.section.8.2" id="rfc.section.8.2">8.2</a> Informative References |
---|
695 | </h2> |
---|
696 | <table> |
---|
697 | <tr> |
---|
698 | <td class="reference"><b id="RFC2616">[RFC2616]</b></td> |
---|
699 | <td class="top"><a href="mailto:fielding@ics.uci.edu" title="University of California, Irvine">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="W3C">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="MIT Laboratory for Computer Science">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="W3C">T. Berners-Lee</a>, “<a href="https://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC 2616, June 1999. |
---|
700 | </td> |
---|
701 | </tr> |
---|
702 | </table> |
---|
703 | <div id="compatibility"> |
---|
704 | <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a> <a href="#compatibility">Compatibility with Previous Versions</a></h1> |
---|
705 | <div id="changes.from.rfc.2616"> |
---|
706 | <h2 id="rfc.section.A.1"><a href="#rfc.section.A.1">A.1</a> <a href="#changes.from.rfc.2616">Changes from RFC 2616</a></h2> |
---|
707 | </div> |
---|
708 | </div> |
---|
709 | <div> |
---|
710 | <h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a> Change Log (to be removed by RFC Editor before publication) |
---|
711 | </h1> |
---|
712 | <div> |
---|
713 | <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a> Since RFC2616 |
---|
714 | </h2> |
---|
715 | <p id="rfc.section.B.1.p.1">Extracted relevant partitions from <a href="#RFC2616" id="rfc.xref.RFC2616.2"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a>. |
---|
716 | </p> |
---|
717 | </div> |
---|
718 | <div> |
---|
719 | <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a> Since draft-ietf-httpbis-p7-auth-00 |
---|
720 | </h2> |
---|
721 | <p id="rfc.section.B.2.p.1">Closed issues: </p> |
---|
722 | <ul> |
---|
723 | <li><<a href="http://www3.tools.ietf.org/wg/httpbis/trac/ticket/35">http://www3.tools.ietf.org/wg/httpbis/trac/ticket/35</a>>: "Normative and Informative references" |
---|
724 | </li> |
---|
725 | </ul> |
---|
726 | </div> |
---|
727 | <div> |
---|
728 | <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a> Since draft-ietf-httpbis-p7-auth-01 |
---|
729 | </h2> |
---|
730 | <p id="rfc.section.B.3.p.1">Ongoing work on ABNF conversion (<<a href="http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36">http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36</a>>): |
---|
731 | </p> |
---|
732 | <ul> |
---|
733 | <li>Explicitly import BNF rules for "challenge" and "credentials" from RFC2617.</li> |
---|
734 | <li>Add explicit references to BNF syntax and rules imported from other parts of the specification.</li> |
---|
735 | </ul> |
---|
736 | </div> |
---|
737 | </div> |
---|
738 | <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1> |
---|
739 | <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a> |
---|
740 | </p> |
---|
741 | <div class="print2col"> |
---|
742 | <ul class="ind"> |
---|
743 | <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul> |
---|
744 | <li>401 Unauthorized (status code) <a href="#rfc.iref.4.1"><b>3.1</b></a></li> |
---|
745 | <li>407 Proxy Authentication Required (status code) <a href="#rfc.iref.4.2"><b>3.2</b></a></li> |
---|
746 | </ul> |
---|
747 | </li> |
---|
748 | <li><a id="rfc.index.A" href="#rfc.index.A"><b>A</b></a><ul> |
---|
749 | <li>Authorization header <a href="#rfc.xref.header.authorization.1">3.1</a>, <a href="#rfc.iref.a.1"><b>4.1</b></a></li> |
---|
750 | </ul> |
---|
751 | </li> |
---|
752 | <li><a id="rfc.index.G" href="#rfc.index.G"><b>G</b></a><ul> |
---|
753 | <li><tt>Grammar</tt> |
---|
754 | <ul> |
---|
755 | <li><tt>Authorization</tt> <a href="#rfc.iref.g.3"><b>4.1</b></a></li> |
---|
756 | <li><tt>challenge</tt> <a href="#rfc.iref.g.1"><b>2</b></a></li> |
---|
757 | <li><tt>credentials</tt> <a href="#rfc.iref.g.2"><b>2</b></a></li> |
---|
758 | <li><tt>Proxy-Authenticate</tt> <a href="#rfc.iref.g.4"><b>4.2</b></a></li> |
---|
759 | <li><tt>Proxy-Authorization</tt> <a href="#rfc.iref.g.5"><b>4.3</b></a></li> |
---|
760 | <li><tt>WWW-Authenticate</tt> <a href="#rfc.iref.g.6"><b>4.4</b></a></li> |
---|
761 | </ul> |
---|
762 | </li> |
---|
763 | </ul> |
---|
764 | </li> |
---|
765 | <li><a id="rfc.index.H" href="#rfc.index.H"><b>H</b></a><ul> |
---|
766 | <li>Headers |
---|
767 | <ul> |
---|
768 | <li>Authorization <a href="#rfc.xref.header.authorization.1">3.1</a>, <a href="#rfc.iref.h.1"><b>4.1</b></a></li> |
---|
769 | <li>Proxy-Authenticate <a href="#rfc.xref.header.proxy-authenticate.1">3.2</a>, <a href="#rfc.iref.h.2"><b>4.2</b></a></li> |
---|
770 | <li>Proxy-Authorization <a href="#rfc.xref.header.proxy-authorization.1">3.2</a>, <a href="#rfc.iref.h.3"><b>4.3</b></a></li> |
---|
771 | <li>WWW-Authenticate <a href="#rfc.xref.header.www-authenticate.1">3.1</a>, <a href="#rfc.iref.h.4"><b>4.4</b></a></li> |
---|
772 | </ul> |
---|
773 | </li> |
---|
774 | </ul> |
---|
775 | </li> |
---|
776 | <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul> |
---|
777 | <li><em>Part1</em> <a href="#rfc.xref.Part1.1">2</a>, <a href="#Part1"><b>8.1</b></a><ul> |
---|
778 | <li><em>Section 2.1</em> <a href="#rfc.xref.Part1.1">2</a></li> |
---|
779 | </ul> |
---|
780 | </li> |
---|
781 | <li><em>Part6</em> <a href="#rfc.xref.Part6.1">4.1</a>, <a href="#Part6"><b>8.1</b></a><ul> |
---|
782 | <li><em>Section 9</em> <a href="#rfc.xref.Part6.1">4.1</a></li> |
---|
783 | </ul> |
---|
784 | </li> |
---|
785 | <li>Proxy-Authenticate header <a href="#rfc.xref.header.proxy-authenticate.1">3.2</a>, <a href="#rfc.iref.p.1"><b>4.2</b></a></li> |
---|
786 | <li>Proxy-Authorization header <a href="#rfc.xref.header.proxy-authorization.1">3.2</a>, <a href="#rfc.iref.p.2"><b>4.3</b></a></li> |
---|
787 | </ul> |
---|
788 | </li> |
---|
789 | <li><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul> |
---|
790 | <li><em>RFC2119</em> <a href="#rfc.xref.RFC2119.1">1.1</a>, <a href="#RFC2119"><b>8.1</b></a></li> |
---|
791 | <li><em>RFC2616</em> <a href="#rfc.xref.RFC2616.1">1</a>, <a href="#RFC2616"><b>8.2</b></a>, <a href="#rfc.xref.RFC2616.2">B.1</a></li> |
---|
792 | <li><em>RFC2617</em> <a href="#rfc.xref.RFC2617.1">1</a>, <a href="#rfc.xref.RFC2617.2">1</a>, <a href="#rfc.xref.RFC2617.3">2</a>, <a href="#rfc.xref.RFC2617.4">2</a>, <a href="#rfc.xref.RFC2617.5">3.1</a>, <a href="#rfc.xref.RFC2617.6">3.2</a>, <a href="#rfc.xref.RFC2617.7">4.1</a>, <a href="#rfc.xref.RFC2617.8">4.2</a>, <a href="#rfc.xref.RFC2617.9">4.3</a>, <a href="#rfc.xref.RFC2617.10">4.4</a>, <a href="#RFC2617"><b>8.1</b></a><ul> |
---|
793 | <li><em>Section 1.2</em> <a href="#rfc.xref.RFC2617.3">2</a>, <a href="#rfc.xref.RFC2617.4">2</a></li> |
---|
794 | </ul> |
---|
795 | </li> |
---|
796 | </ul> |
---|
797 | </li> |
---|
798 | <li><a id="rfc.index.S" href="#rfc.index.S"><b>S</b></a><ul> |
---|
799 | <li>Status Codes |
---|
800 | <ul> |
---|
801 | <li>401 Unauthorized <a href="#rfc.iref.s.1"><b>3.1</b></a></li> |
---|
802 | <li>407 Proxy Authentication Required <a href="#rfc.iref.s.2"><b>3.2</b></a></li> |
---|
803 | </ul> |
---|
804 | </li> |
---|
805 | </ul> |
---|
806 | </li> |
---|
807 | <li><a id="rfc.index.W" href="#rfc.index.W"><b>W</b></a><ul> |
---|
808 | <li>WWW-Authenticate header <a href="#rfc.xref.header.www-authenticate.1">3.1</a>, <a href="#rfc.iref.w.1"><b>4.4</b></a></li> |
---|
809 | </ul> |
---|
810 | </li> |
---|
811 | </ul> |
---|
812 | </div> |
---|
813 | <div class="avoidbreak"> |
---|
814 | <h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1> |
---|
815 | <p><b>Roy T. Fielding</b> |
---|
816 | (editor) |
---|
817 | <br>Day Software<br>23 Corporate Plaza DR, Suite 280<br>Newport Beach, CA 92660<br>USA<br>Phone: <a href="tel:+1-949-706-5300">+1-949-706-5300</a><br>Fax: <a href="fax:+1-949-706-5305">+1-949-706-5305</a><br>EMail: <a href="mailto:fielding@gbiv.com">fielding@gbiv.com</a><br>URI: <a href="http://roy.gbiv.com/">http://roy.gbiv.com/</a></p> |
---|
818 | <p><b>Jim Gettys</b><br>One Laptop per Child<br>21 Oak Knoll Road<br>Carlisle, MA 01741<br>USA<br>EMail: <a href="mailto:jg@laptop.org">jg@laptop.org</a><br>URI: <a href="http://www.laptop.org/">http://www.laptop.org/</a></p> |
---|
819 | <p><b>Jeffrey C. Mogul</b><br>Hewlett-Packard Company<br>HP Labs, Large Scale Systems Group<br>1501 Page Mill Road, MS 1177<br>Palo Alto, CA 94304<br>USA<br>EMail: <a href="mailto:JeffMogul@acm.org">JeffMogul@acm.org</a></p> |
---|
820 | <p><b>Henrik Frystyk Nielsen</b><br>Microsoft Corporation<br>1 Microsoft Way<br>Redmond, WA 98052<br>USA<br>EMail: <a href="mailto:henrikn@microsoft.com">henrikn@microsoft.com</a></p> |
---|
821 | <p><b>Larry Masinter</b><br>Adobe Systems, Incorporated<br>345 Park Ave<br>San Jose, CA 95110<br>USA<br>EMail: <a href="mailto:LMM@acm.org">LMM@acm.org</a><br>URI: <a href="http://larry.masinter.net/">http://larry.masinter.net/</a></p> |
---|
822 | <p><b>Paul J. Leach</b><br>Microsoft Corporation<br>1 Microsoft Way<br>Redmond, WA 98052<br>EMail: <a href="mailto:paulle@microsoft.com">paulle@microsoft.com</a></p> |
---|
823 | <p><b>Tim Berners-Lee</b><br>World Wide Web Consortium<br>MIT Computer Science and Artificial Intelligence Laboratory<br>The Stata Center, Building 32<br>32 Vassar Street<br>Cambridge, MA 02139<br>USA<br>EMail: <a href="mailto:timbl@w3.org">timbl@w3.org</a><br>URI: <a href="http://www.w3.org/People/Berners-Lee/">http://www.w3.org/People/Berners-Lee/</a></p> |
---|
824 | <p><b>Yves Lafon</b> |
---|
825 | (editor) |
---|
826 | <br>World Wide Web Consortium<br>W3C / ERCIM<br>2004, rte des Lucioles<br>Sophia-Antipolis, AM 06902<br>France<br>EMail: <a href="mailto:ylafon@w3.org">ylafon@w3.org</a><br>URI: <a href="http://www.raubacapeu.net/people/yves/">http://www.raubacapeu.net/people/yves/</a></p> |
---|
827 | <p><b>Julian F. Reschke</b> |
---|
828 | (editor) |
---|
829 | <br>greenbytes GmbH<br>Hafenweg 16<br>Muenster, NW 48155<br>Germany<br>Phone: <a href="tel:+492512807760">+49 251 2807760</a><br>Fax: <a href="fax:+492512807761">+49 251 2807761</a><br>EMail: <a href="mailto:julian.reschke@greenbytes.de">julian.reschke@greenbytes.de</a><br>URI: <a href="http://greenbytes.de/tech/webdav/">http://greenbytes.de/tech/webdav/</a></p> |
---|
830 | </div> |
---|
831 | <div id="rfc.copyright"> |
---|
832 | <h1><a href="#rfc.copyright">Full Copyright Statement</a></h1> |
---|
833 | <p>Copyright © The IETF Trust (2008).</p> |
---|
834 | <p>This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the |
---|
835 | authors retain all their rights. |
---|
836 | </p> |
---|
837 | <p>This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION |
---|
838 | HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE |
---|
839 | DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN |
---|
840 | WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. |
---|
841 | </p> |
---|
842 | </div> |
---|
843 | <div id="rfc.ipr"> |
---|
844 | <h1><a href="#rfc.ipr">Intellectual Property</a></h1> |
---|
845 | <p>The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might |
---|
846 | be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any |
---|
847 | license under such rights might or might not be available; nor does it represent that it has made any independent effort to |
---|
848 | identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and |
---|
849 | BCP 79. |
---|
850 | </p> |
---|
851 | <p>Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result |
---|
852 | of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users |
---|
853 | of this specification can be obtained from the IETF on-line IPR repository at <a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>. |
---|
854 | </p> |
---|
855 | <p>The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary |
---|
856 | rights that may cover technology that may be required to implement this standard. Please address the information to the IETF |
---|
857 | at <a href="mailto:ietf-ipr@ietf.org">ietf-ipr@ietf.org</a>. |
---|
858 | </p> |
---|
859 | </div> |
---|
860 | </body> |
---|
861 | </html> |
---|