1 | <!DOCTYPE html |
---|
2 | PUBLIC "-//W3C//DTD HTML 4.01//EN"> |
---|
3 | <html lang="en"> |
---|
4 | <head profile="http://dublincore.org/documents/2008/08/04/dc-html/"> |
---|
5 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
---|
6 | <title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title><script type="application/javascript"> |
---|
7 | var buttonsAdded = false; |
---|
8 | |
---|
9 | function initFeedback() { |
---|
10 | var fb = document.createElement("div"); |
---|
11 | fb.className = "feedback noprint"; |
---|
12 | fb.setAttribute("onclick", "feedback();"); |
---|
13 | fb.appendChild(document.createTextNode("feedback")); |
---|
14 | |
---|
15 | document.body.appendChild(fb); |
---|
16 | } |
---|
17 | |
---|
18 | function feedback() { |
---|
19 | toggleButtonsToElementsByName("h2"); |
---|
20 | toggleButtonsToElementsByName("h3"); |
---|
21 | toggleButtonsToElementsByName("h4"); |
---|
22 | toggleButtonsToElementsByName("h5"); |
---|
23 | |
---|
24 | buttonsAdded = !buttonsAdded; |
---|
25 | } |
---|
26 | |
---|
27 | function toggleButtonsToElementsByName(name) { |
---|
28 | var list = document.getElementsByTagName(name); |
---|
29 | for (var i = 0; i < list.length; i++) { |
---|
30 | toggleButton(list.item(i)); |
---|
31 | } |
---|
32 | } |
---|
33 | |
---|
34 | function toggleButton(node) { |
---|
35 | if (! buttonsAdded) { |
---|
36 | |
---|
37 | // docname |
---|
38 | var template = "mailto:ietf-http-wg@w3.org?subject={docname},%20%22{section}%22&body=<{ref}>:"; |
---|
39 | |
---|
40 | var id = node.getAttribute("id"); |
---|
41 | // better id available? |
---|
42 | var titlelinks = node.getElementsByTagName("a"); |
---|
43 | for (var i = 0; i < titlelinks.length; i++) { |
---|
44 | var tl = titlelinks.item(i); |
---|
45 | if (tl.getAttribute("id")) { |
---|
46 | id = tl.getAttribute("id"); |
---|
47 | } |
---|
48 | } |
---|
49 | |
---|
50 | // ref |
---|
51 | var ref = window.location.toString(); |
---|
52 | var hash = ref.indexOf("#"); |
---|
53 | if (hash != -1) { |
---|
54 | ref = ref.substring(0, hash); |
---|
55 | } |
---|
56 | if (id != "") { |
---|
57 | ref += "#" + id; |
---|
58 | } |
---|
59 | |
---|
60 | // docname |
---|
61 | var docname = "draft-ietf-httpbis-p7-auth-latest"; |
---|
62 | |
---|
63 | // section |
---|
64 | var section = node.textContent; |
---|
65 | section = section.replace("\u00a0", " "); |
---|
66 | |
---|
67 | // build URI from template |
---|
68 | var uri = template.replace("{docname}", encodeURIComponent(docname)); |
---|
69 | uri = uri.replace("{section}", encodeURIComponent(section)); |
---|
70 | uri = uri.replace("{ref}", encodeURIComponent(ref)); |
---|
71 | |
---|
72 | var button = document.createElement("a"); |
---|
73 | button.className = "fbbutton noprint"; |
---|
74 | button.setAttribute("href", uri); |
---|
75 | button.appendChild(document.createTextNode("send feedback")); |
---|
76 | node.appendChild(button); |
---|
77 | } |
---|
78 | else { |
---|
79 | var buttons = node.getElementsByTagName("a"); |
---|
80 | for (var i = 0; i < buttons.length; i++) { |
---|
81 | var b = buttons.item(i); |
---|
82 | if (b.className == "fbbutton noprint") { |
---|
83 | node.removeChild(b); |
---|
84 | } |
---|
85 | } |
---|
86 | } |
---|
87 | }</script><style type="text/css" title="Xml2Rfc (sans serif)"> |
---|
88 | a { |
---|
89 | text-decoration: none; |
---|
90 | } |
---|
91 | a.smpl { |
---|
92 | color: black; |
---|
93 | } |
---|
94 | a:hover { |
---|
95 | text-decoration: underline; |
---|
96 | } |
---|
97 | a:active { |
---|
98 | text-decoration: underline; |
---|
99 | } |
---|
100 | address { |
---|
101 | margin-top: 1em; |
---|
102 | margin-left: 2em; |
---|
103 | font-style: normal; |
---|
104 | } |
---|
105 | body { |
---|
106 | color: black; |
---|
107 | font-family: cambria, georgia, serif; |
---|
108 | font-size: 12pt; |
---|
109 | margin: 2em auto; |
---|
110 | max-width: 1000px; |
---|
111 | } |
---|
112 | samp, tt, code, pre { |
---|
113 | font-family: consolas, monaco, monospace; |
---|
114 | } |
---|
115 | cite { |
---|
116 | font-style: normal; |
---|
117 | } |
---|
118 | div.note { |
---|
119 | margin-left: 2em; |
---|
120 | } |
---|
121 | dl { |
---|
122 | margin-left: 2em; |
---|
123 | } |
---|
124 | dl > dt { |
---|
125 | float: left; |
---|
126 | margin-right: 1em; |
---|
127 | } |
---|
128 | dl.nohang > dt { |
---|
129 | float: none; |
---|
130 | } |
---|
131 | dl > dd { |
---|
132 | margin-bottom: .5em; |
---|
133 | } |
---|
134 | dl.compact > dd { |
---|
135 | margin-bottom: .0em; |
---|
136 | } |
---|
137 | dl > dd > dl { |
---|
138 | margin-top: 0.5em; |
---|
139 | } |
---|
140 | ul.empty { |
---|
141 | list-style-type: none; |
---|
142 | } |
---|
143 | ul.empty li { |
---|
144 | margin-top: .5em; |
---|
145 | } |
---|
146 | dl p { |
---|
147 | margin-left: 0em; |
---|
148 | } |
---|
149 | dl.reference > dt { |
---|
150 | font-weight: bold; |
---|
151 | } |
---|
152 | dl.reference > dd { |
---|
153 | margin-left: 6em; |
---|
154 | } |
---|
155 | h1 { |
---|
156 | color: green; |
---|
157 | font-size: 150%; |
---|
158 | line-height: 18pt; |
---|
159 | font-weight: bold; |
---|
160 | text-align: center; |
---|
161 | margin-top: 36pt; |
---|
162 | margin-bottom: 0pt; |
---|
163 | } |
---|
164 | h2 { |
---|
165 | font-size: 130%; |
---|
166 | line-height: 21pt; |
---|
167 | page-break-after: avoid; |
---|
168 | } |
---|
169 | h2.np { |
---|
170 | page-break-before: always; |
---|
171 | } |
---|
172 | h3 { |
---|
173 | font-size: 120%; |
---|
174 | line-height: 15pt; |
---|
175 | page-break-after: avoid; |
---|
176 | } |
---|
177 | h4 { |
---|
178 | font-size: 110%; |
---|
179 | page-break-after: avoid; |
---|
180 | } |
---|
181 | h5, h6 { |
---|
182 | page-break-after: avoid; |
---|
183 | } |
---|
184 | h1 a, h2 a, h3 a, h4 a, h5 a, h6 a { |
---|
185 | color: black; |
---|
186 | } |
---|
187 | img { |
---|
188 | margin-left: 3em; |
---|
189 | } |
---|
190 | li { |
---|
191 | margin-left: 2em; |
---|
192 | } |
---|
193 | ol { |
---|
194 | margin-left: 2em; |
---|
195 | } |
---|
196 | ol.la { |
---|
197 | list-style-type: lower-alpha; |
---|
198 | } |
---|
199 | ol.ua { |
---|
200 | list-style-type: upper-alpha; |
---|
201 | } |
---|
202 | ol p { |
---|
203 | margin-left: 0em; |
---|
204 | } |
---|
205 | p { |
---|
206 | margin-left: 2em; |
---|
207 | } |
---|
208 | pre { |
---|
209 | font-size: 11pt; |
---|
210 | margin-left: 3em; |
---|
211 | background-color: lightyellow; |
---|
212 | padding: .25em; |
---|
213 | page-break-inside: avoid; |
---|
214 | } |
---|
215 | pre.text2 { |
---|
216 | border-style: dotted; |
---|
217 | border-width: 1px; |
---|
218 | background-color: #f0f0f0; |
---|
219 | } |
---|
220 | pre.inline { |
---|
221 | background-color: white; |
---|
222 | padding: 0em; |
---|
223 | page-break-inside: auto; |
---|
224 | } |
---|
225 | pre.text { |
---|
226 | border-style: dotted; |
---|
227 | border-width: 1px; |
---|
228 | background-color: #f8f8f8; |
---|
229 | } |
---|
230 | pre.drawing { |
---|
231 | border-style: solid; |
---|
232 | border-width: 1px; |
---|
233 | background-color: #f8f8f8; |
---|
234 | padding: 2em; |
---|
235 | } |
---|
236 | table { |
---|
237 | margin-left: 2em; |
---|
238 | } |
---|
239 | table.tt { |
---|
240 | vertical-align: top; |
---|
241 | border-color: gray; |
---|
242 | } |
---|
243 | table.tt th { |
---|
244 | border-color: gray; |
---|
245 | } |
---|
246 | table.tt td { |
---|
247 | border-color: gray; |
---|
248 | } |
---|
249 | table.all { |
---|
250 | border-style: solid; |
---|
251 | border-width: 2px; |
---|
252 | } |
---|
253 | table.full { |
---|
254 | border-style: solid; |
---|
255 | border-width: 2px; |
---|
256 | } |
---|
257 | table.tt td { |
---|
258 | vertical-align: top; |
---|
259 | } |
---|
260 | table.all td { |
---|
261 | border-style: solid; |
---|
262 | border-width: 1px; |
---|
263 | } |
---|
264 | table.full td { |
---|
265 | border-style: none solid; |
---|
266 | border-width: 1px; |
---|
267 | } |
---|
268 | table.tt th { |
---|
269 | vertical-align: top; |
---|
270 | } |
---|
271 | table.all th { |
---|
272 | border-style: solid; |
---|
273 | border-width: 1px; |
---|
274 | } |
---|
275 | table.full th { |
---|
276 | border-style: solid; |
---|
277 | border-width: 1px 1px 2px 1px; |
---|
278 | } |
---|
279 | table.headers th { |
---|
280 | border-style: none none solid none; |
---|
281 | border-width: 2px; |
---|
282 | } |
---|
283 | table.tleft { |
---|
284 | margin-right: auto; |
---|
285 | } |
---|
286 | table.tright { |
---|
287 | margin-left: auto; |
---|
288 | } |
---|
289 | table.tcenter { |
---|
290 | margin-left: auto; |
---|
291 | margin-right: auto; |
---|
292 | } |
---|
293 | caption { |
---|
294 | caption-side: bottom; |
---|
295 | font-weight: bold; |
---|
296 | font-size: 10pt; |
---|
297 | margin-top: .5em; |
---|
298 | } |
---|
299 | |
---|
300 | table.header { |
---|
301 | border-spacing: 1px; |
---|
302 | width: 95%; |
---|
303 | font-size: 11pt; |
---|
304 | color: white; |
---|
305 | } |
---|
306 | td.top { |
---|
307 | vertical-align: top; |
---|
308 | } |
---|
309 | td.topnowrap { |
---|
310 | vertical-align: top; |
---|
311 | white-space: nowrap; |
---|
312 | } |
---|
313 | table.header td { |
---|
314 | background-color: gray; |
---|
315 | width: 50%; |
---|
316 | } |
---|
317 | table.header a { |
---|
318 | color: white; |
---|
319 | } |
---|
320 | thead { |
---|
321 | display:table-header-group; |
---|
322 | } |
---|
323 | ul.toc, ul.toc ul { |
---|
324 | list-style: none; |
---|
325 | margin-left: 1.5em; |
---|
326 | padding-left: 0em; |
---|
327 | } |
---|
328 | ul.toc li { |
---|
329 | line-height: 150%; |
---|
330 | font-weight: bold; |
---|
331 | margin-left: 0em; |
---|
332 | } |
---|
333 | ul.toc li li { |
---|
334 | line-height: normal; |
---|
335 | font-weight: normal; |
---|
336 | font-size: 11pt; |
---|
337 | margin-left: 0em; |
---|
338 | } |
---|
339 | li.excluded { |
---|
340 | font-size: 0pt; |
---|
341 | } |
---|
342 | ul p { |
---|
343 | margin-left: 0em; |
---|
344 | } |
---|
345 | .filename, h1, h2, h3, h4 { |
---|
346 | font-family: candara, calibri, segoe, optima, arial, sans-serif; |
---|
347 | } |
---|
348 | ul.ind, ul.ind ul { |
---|
349 | list-style: none; |
---|
350 | margin-left: 1.5em; |
---|
351 | padding-left: 0em; |
---|
352 | page-break-before: avoid; |
---|
353 | } |
---|
354 | ul.ind li { |
---|
355 | font-weight: bold; |
---|
356 | line-height: 200%; |
---|
357 | margin-left: 0em; |
---|
358 | } |
---|
359 | ul.ind li li { |
---|
360 | font-weight: normal; |
---|
361 | line-height: 150%; |
---|
362 | margin-left: 0em; |
---|
363 | } |
---|
364 | .avoidbreakinside { |
---|
365 | page-break-inside: avoid; |
---|
366 | } |
---|
367 | .avoidbreakafter { |
---|
368 | page-break-after: avoid; |
---|
369 | } |
---|
370 | .bcp14 { |
---|
371 | font-style: normal; |
---|
372 | text-transform: lowercase; |
---|
373 | font-variant: small-caps; |
---|
374 | } |
---|
375 | .comment { |
---|
376 | background-color: yellow; |
---|
377 | } |
---|
378 | .center { |
---|
379 | text-align: center; |
---|
380 | } |
---|
381 | .error { |
---|
382 | color: red; |
---|
383 | font-style: italic; |
---|
384 | font-weight: bold; |
---|
385 | } |
---|
386 | .figure { |
---|
387 | font-weight: bold; |
---|
388 | text-align: center; |
---|
389 | font-size: 10pt; |
---|
390 | } |
---|
391 | .filename { |
---|
392 | color: #333333; |
---|
393 | font-size: 112%; |
---|
394 | font-weight: bold; |
---|
395 | line-height: 21pt; |
---|
396 | text-align: center; |
---|
397 | margin-top: 0pt; |
---|
398 | } |
---|
399 | .fn { |
---|
400 | font-weight: bold; |
---|
401 | } |
---|
402 | .left { |
---|
403 | text-align: left; |
---|
404 | } |
---|
405 | .right { |
---|
406 | text-align: right; |
---|
407 | } |
---|
408 | .warning { |
---|
409 | font-size: 130%; |
---|
410 | background-color: yellow; |
---|
411 | }.feedback { |
---|
412 | position: fixed; |
---|
413 | bottom: 1%; |
---|
414 | right: 1%; |
---|
415 | padding: 3px 5px; |
---|
416 | color: white; |
---|
417 | border-radius: 5px; |
---|
418 | background: #006400; |
---|
419 | border: 1px solid silver; |
---|
420 | -webkit-user-select: none; |
---|
421 | -moz-user-select: none; |
---|
422 | -ms-user-select: none; |
---|
423 | } |
---|
424 | .fbbutton { |
---|
425 | margin-left: 1em; |
---|
426 | color: #303030; |
---|
427 | font-size: small; |
---|
428 | font-weight: normal; |
---|
429 | background: #d0d000; |
---|
430 | padding: 1px 4px; |
---|
431 | border: 1px solid silver; |
---|
432 | border-radius: 5px; |
---|
433 | } |
---|
434 | .publishedasrfc { |
---|
435 | background-color: yellow; |
---|
436 | color: green; |
---|
437 | font-size: 14pt; |
---|
438 | text-align: center; |
---|
439 | } |
---|
440 | |
---|
441 | @media screen { |
---|
442 | pre.text, pre.text2 { |
---|
443 | width: 69em; |
---|
444 | } |
---|
445 | } |
---|
446 | |
---|
447 | @media print { |
---|
448 | .noprint { |
---|
449 | display: none; |
---|
450 | } |
---|
451 | |
---|
452 | a { |
---|
453 | color: black; |
---|
454 | text-decoration: none; |
---|
455 | } |
---|
456 | |
---|
457 | table.header { |
---|
458 | width: 90%; |
---|
459 | } |
---|
460 | |
---|
461 | td.header { |
---|
462 | width: 50%; |
---|
463 | color: black; |
---|
464 | background-color: white; |
---|
465 | vertical-align: top; |
---|
466 | font-size: 110%; |
---|
467 | } |
---|
468 | |
---|
469 | ul.toc a:last-child::after { |
---|
470 | content: leader('.') target-counter(attr(href), page); |
---|
471 | } |
---|
472 | |
---|
473 | ul.ind li li a { |
---|
474 | content: target-counter(attr(href), page); |
---|
475 | } |
---|
476 | |
---|
477 | pre { |
---|
478 | font-size: 10pt; |
---|
479 | } |
---|
480 | |
---|
481 | .print2col { |
---|
482 | column-count: 2; |
---|
483 | -moz-column-count: 2; |
---|
484 | column-fill: auto; |
---|
485 | } |
---|
486 | } |
---|
487 | |
---|
488 | @page { |
---|
489 | @top-left { |
---|
490 | content: "Internet-Draft"; |
---|
491 | } |
---|
492 | @top-right { |
---|
493 | content: "June 2014"; |
---|
494 | } |
---|
495 | @top-center { |
---|
496 | content: "HTTP/1.1 Authentication"; |
---|
497 | } |
---|
498 | @bottom-left { |
---|
499 | content: "Fielding & Reschke"; |
---|
500 | } |
---|
501 | @bottom-center { |
---|
502 | content: "Expires December 2014"; |
---|
503 | } |
---|
504 | @bottom-right { |
---|
505 | content: "[Page " counter(page) "]"; |
---|
506 | } |
---|
507 | } |
---|
508 | |
---|
509 | @page:first { |
---|
510 | @top-left { |
---|
511 | content: normal; |
---|
512 | } |
---|
513 | @top-right { |
---|
514 | content: normal; |
---|
515 | } |
---|
516 | @top-center { |
---|
517 | content: normal; |
---|
518 | } |
---|
519 | } |
---|
520 | </style><link rel="Contents" href="#rfc.toc"> |
---|
521 | <link rel="Author" href="#rfc.authors"> |
---|
522 | <link rel="Copyright" href="#rfc.copyrightnotice"> |
---|
523 | <link rel="Index" href="#rfc.index"> |
---|
524 | <link rel="Chapter" title="1 Introduction" href="#rfc.section.1"> |
---|
525 | <link rel="Chapter" title="2 Access Authentication Framework" href="#rfc.section.2"> |
---|
526 | <link rel="Chapter" title="3 Status Code Definitions" href="#rfc.section.3"> |
---|
527 | <link rel="Chapter" title="4 Header Field Definitions" href="#rfc.section.4"> |
---|
528 | <link rel="Chapter" title="5 IANA Considerations" href="#rfc.section.5"> |
---|
529 | <link rel="Chapter" title="6 Security Considerations" href="#rfc.section.6"> |
---|
530 | <link rel="Chapter" title="7 Acknowledgments" href="#rfc.section.7"> |
---|
531 | <link rel="Chapter" href="#rfc.section.8" title="8 References"> |
---|
532 | <link rel="Appendix" title="A Changes from RFCs 2616 and 2617" href="#rfc.section.A"> |
---|
533 | <link rel="Appendix" title="B Imported ABNF" href="#rfc.section.B"> |
---|
534 | <link rel="Appendix" title="C Collected ABNF" href="#rfc.section.C"> |
---|
535 | <link rel="Alternate" title="RFC7235" href="http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7235.html"> |
---|
536 | <link href="p6-cache.html" rel="prev"> |
---|
537 | <meta name="generator" content="http://greenbytes.de/tech/webdav/rfc2629.xslt, Revision 1.756, 2015/12/31 17:59:21, XSLT vendor: Saxonica http://www.saxonica.com/"> |
---|
538 | <meta name="keywords" content="Hypertext Transfer Protocol, HTTP, HTTP authentication"> |
---|
539 | <link rel="schema.dct" href="http://purl.org/dc/terms/"> |
---|
540 | <meta name="dct.creator" content="Fielding, R."> |
---|
541 | <meta name="dct.creator" content="Reschke, J. F."> |
---|
542 | <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> |
---|
543 | <meta name="dct.issued" scheme="ISO8601" content="2014-06"> |
---|
544 | <meta name="dct.replaces" content="urn:ietf:rfc:2616"> |
---|
545 | <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework."> |
---|
546 | <meta name="description" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypermedia information systems. This document defines the HTTP Authentication framework."> |
---|
547 | </head> |
---|
548 | <body onload="initFeedback();"> |
---|
549 | <table class="header" id="rfc.headerblock"> |
---|
550 | <tbody> |
---|
551 | <tr> |
---|
552 | <td class="left">HTTPbis Working Group</td> |
---|
553 | <td class="right">R. Fielding, Editor</td> |
---|
554 | </tr> |
---|
555 | <tr> |
---|
556 | <td class="left">Internet-Draft</td> |
---|
557 | <td class="right">Adobe</td> |
---|
558 | </tr> |
---|
559 | <tr> |
---|
560 | <td class="left">Obsoletes: <a href="https://tools.ietf.org/html/rfc2616">2616</a> (if approved) |
---|
561 | </td> |
---|
562 | <td class="right">J. Reschke, Editor</td> |
---|
563 | </tr> |
---|
564 | <tr> |
---|
565 | <td class="left">Updates: <a href="https://tools.ietf.org/html/rfc2617">2617</a> (if approved) |
---|
566 | </td> |
---|
567 | <td class="right">greenbytes</td> |
---|
568 | </tr> |
---|
569 | <tr> |
---|
570 | <td class="left">Intended status: Standards Track</td> |
---|
571 | <td class="right">June 2014</td> |
---|
572 | </tr> |
---|
573 | <tr> |
---|
574 | <td class="left">Expires: December 2014</td> |
---|
575 | <td class="right"></td> |
---|
576 | </tr> |
---|
577 | </tbody> |
---|
578 | </table> |
---|
579 | <div id="rfc.title"> |
---|
580 | <h1>Hypertext Transfer Protocol (HTTP/1.1): Authentication</h1> |
---|
581 | <div class="filename">draft-ietf-httpbis-p7-auth-latest</div> |
---|
582 | </div> |
---|
583 | <p class="publishedasrfc"><b>Note:</b> a later version of this document has been published as <a href="http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7235.html">RFC7235</a>. |
---|
584 | |
---|
585 | </p> |
---|
586 | <h2 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h2> |
---|
587 | <p>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for |
---|
588 | distributed, collaborative, hypermedia information systems. This document defines |
---|
589 | the HTTP Authentication framework. |
---|
590 | </p> |
---|
591 | <h2 id="rfc.note.1"><a href="#rfc.note.1">Editorial Note (To be removed by RFC Editor)</a></h2> |
---|
592 | <p>Discussion of this draft takes place on the HTTPBIS working group mailing list (ietf-http-wg@w3.org), |
---|
593 | which is archived at <<a href="http://lists.w3.org/Archives/Public/ietf-http-wg/">http://lists.w3.org/Archives/Public/ietf-http-wg/</a>>. |
---|
594 | </p> |
---|
595 | <p>The current issues list is at <<a href="http://tools.ietf.org/wg/httpbis/trac/report/3">http://tools.ietf.org/wg/httpbis/trac/report/3</a>> and related documents (including fancy diffs) can be found at <<a href="http://tools.ietf.org/wg/httpbis/">http://tools.ietf.org/wg/httpbis/</a>>. |
---|
596 | </p> |
---|
597 | <p><em>This is a temporary document for the purpose of tracking the editorial changes made |
---|
598 | during the AUTH48 (RFC publication) phase.</em> |
---|
599 | </p> |
---|
600 | <div id="rfc.status"> |
---|
601 | <h2><a href="#rfc.status">Status of This Memo</a></h2> |
---|
602 | <p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 |
---|
603 | and BCP 79. |
---|
604 | </p> |
---|
605 | <p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). |
---|
606 | Note that other groups may also distribute working documents as Internet-Drafts. The |
---|
607 | list of current Internet-Drafts is at <a href="http://datatracker.ietf.org/drafts/current/">http://datatracker.ietf.org/drafts/current/</a>. |
---|
608 | </p> |
---|
609 | <p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, |
---|
610 | replaced, or obsoleted by other documents at any time. It is inappropriate to use |
---|
611 | Internet-Drafts as reference material or to cite them other than as “work in progress”. |
---|
612 | </p> |
---|
613 | <p>This Internet-Draft will expire in December 2014.</p> |
---|
614 | </div> |
---|
615 | <div id="rfc.copyrightnotice"> |
---|
616 | <h2><a href="#rfc.copyrightnotice">Copyright Notice</a></h2> |
---|
617 | <p>Copyright © 2014 IETF Trust and the persons identified as the document authors. All |
---|
618 | rights reserved. |
---|
619 | </p> |
---|
620 | <p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating |
---|
621 | to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of publication of this document. Please review these documents |
---|
622 | carefully, as they describe your rights and restrictions with respect to this document. |
---|
623 | Code Components extracted from this document must include Simplified BSD License text |
---|
624 | as described in Section 4.e of the Trust Legal Provisions and are provided without |
---|
625 | warranty as described in the Simplified BSD License. |
---|
626 | </p> |
---|
627 | <p>This document may contain material from IETF Documents or IETF Contributions published |
---|
628 | or made publicly available before November 10, 2008. The person(s) controlling the |
---|
629 | copyright in some of this material may not have granted the IETF Trust the right to |
---|
630 | allow modifications of such material outside the IETF Standards Process. Without obtaining |
---|
631 | an adequate license from the person(s) controlling the copyright in such materials, |
---|
632 | this document may not be modified outside the IETF Standards Process, and derivative |
---|
633 | works of it may not be created outside the IETF Standards Process, except to format |
---|
634 | it for publication as an RFC or to translate it into languages other than English. |
---|
635 | </p> |
---|
636 | </div> |
---|
637 | <hr class="noprint"> |
---|
638 | <div id="rfc.toc"> |
---|
639 | <h2 class="np"><a href="#rfc.toc">Table of Contents</a></h2> |
---|
640 | <ul class="toc"> |
---|
641 | <li><a href="#rfc.section.1">1.</a> <a href="#introduction">Introduction</a><ul> |
---|
642 | <li><a href="#rfc.section.1.1">1.1</a> <a href="#conformance">Conformance and Error Handling</a></li> |
---|
643 | <li><a href="#rfc.section.1.2">1.2</a> <a href="#notation">Syntax Notation</a></li> |
---|
644 | </ul> |
---|
645 | </li> |
---|
646 | <li><a href="#rfc.section.2">2.</a> <a href="#access.authentication.framework">Access Authentication Framework</a><ul> |
---|
647 | <li><a href="#rfc.section.2.1">2.1</a> <a href="#challenge.and.response">Challenge and Response</a></li> |
---|
648 | <li><a href="#rfc.section.2.2">2.2</a> <a href="#protection.space">Protection Space (Realm)</a></li> |
---|
649 | </ul> |
---|
650 | </li> |
---|
651 | <li><a href="#rfc.section.3">3.</a> <a href="#status.code.definitions">Status Code Definitions</a><ul> |
---|
652 | <li><a href="#rfc.section.3.1">3.1</a> <a href="#status.401">401 Unauthorized</a></li> |
---|
653 | <li><a href="#rfc.section.3.2">3.2</a> <a href="#status.407">407 Proxy Authentication Required</a></li> |
---|
654 | </ul> |
---|
655 | </li> |
---|
656 | <li><a href="#rfc.section.4">4.</a> <a href="#header.field.definitions">Header Field Definitions</a><ul> |
---|
657 | <li><a href="#rfc.section.4.1">4.1</a> <a href="#header.www-authenticate">WWW-Authenticate</a></li> |
---|
658 | <li><a href="#rfc.section.4.2">4.2</a> <a href="#header.authorization">Authorization</a></li> |
---|
659 | <li><a href="#rfc.section.4.3">4.3</a> <a href="#header.proxy-authenticate">Proxy-Authenticate</a></li> |
---|
660 | <li><a href="#rfc.section.4.4">4.4</a> <a href="#header.proxy-authorization">Proxy-Authorization</a></li> |
---|
661 | </ul> |
---|
662 | </li> |
---|
663 | <li><a href="#rfc.section.5">5.</a> <a href="#IANA.considerations">IANA Considerations</a><ul> |
---|
664 | <li><a href="#rfc.section.5.1">5.1</a> <a href="#authentication.scheme.registry">Authentication Scheme Registry</a><ul> |
---|
665 | <li><a href="#rfc.section.5.1.1">5.1.1</a> <a href="#authentication.scheme.registry.procedure">Procedure</a></li> |
---|
666 | <li><a href="#rfc.section.5.1.2">5.1.2</a> <a href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></li> |
---|
667 | </ul> |
---|
668 | </li> |
---|
669 | <li><a href="#rfc.section.5.2">5.2</a> <a href="#status.code.registration">Status Code Registration</a></li> |
---|
670 | <li><a href="#rfc.section.5.3">5.3</a> <a href="#header.field.registration">Header Field Registration</a></li> |
---|
671 | </ul> |
---|
672 | </li> |
---|
673 | <li><a href="#rfc.section.6">6.</a> <a href="#security.considerations">Security Considerations</a><ul> |
---|
674 | <li><a href="#rfc.section.6.1">6.1</a> <a href="#confidentiality.of.credentials">Confidentiality of Credentials</a></li> |
---|
675 | <li><a href="#rfc.section.6.2">6.2</a> <a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li> |
---|
676 | <li><a href="#rfc.section.6.3">6.3</a> <a href="#protection.spaces">Protection Spaces</a></li> |
---|
677 | </ul> |
---|
678 | </li> |
---|
679 | <li><a href="#rfc.section.7">7.</a> <a href="#acks">Acknowledgments</a></li> |
---|
680 | <li><a href="#rfc.section.8">8.</a> <a href="#rfc.references">References</a><ul> |
---|
681 | <li><a href="#rfc.section.8.1">8.1</a> <a href="#rfc.references.1">Normative References</a></li> |
---|
682 | <li><a href="#rfc.section.8.2">8.2</a> <a href="#rfc.references.2">Informative References</a></li> |
---|
683 | </ul> |
---|
684 | </li> |
---|
685 | <li><a href="#rfc.section.A">A.</a> <a href="#changes.from.rfc.2616">Changes from RFCs 2616 and 2617</a></li> |
---|
686 | <li><a href="#rfc.section.B">B.</a> <a href="#imported.abnf">Imported ABNF</a></li> |
---|
687 | <li><a href="#rfc.section.C">C.</a> <a href="#collected.abnf">Collected ABNF</a></li> |
---|
688 | <li><a href="#rfc.index">Index</a></li> |
---|
689 | <li><a href="#rfc.authors">Authors' Addresses</a></li> |
---|
690 | </ul> |
---|
691 | </div> |
---|
692 | <div id="introduction"> |
---|
693 | <h2 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a> <a href="#introduction">Introduction</a></h2> |
---|
694 | <div id="rfc.section.1.p.1"> |
---|
695 | <p>HTTP provides a general framework for access control and authentication, via an extensible |
---|
696 | set of challenge-response authentication schemes, which can be used by a server to |
---|
697 | challenge a client request and by a client to provide authentication information. |
---|
698 | This document defines HTTP/1.1 authentication in terms of the architecture defined |
---|
699 | in "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing" <a href="#RFC7230" id="rfc.xref.RFC7230.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, including the general framework previously described in "HTTP Authentication: Basic |
---|
700 | and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.1"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a> and the related fields and status codes previously defined in "Hypertext Transfer |
---|
701 | Protocol -- HTTP/1.1" <a href="#RFC2616" id="rfc.xref.RFC2616.1"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a>. |
---|
702 | </p> |
---|
703 | </div> |
---|
704 | <div id="rfc.section.1.p.2"> |
---|
705 | <p>The IANA Authentication Scheme Registry (<a href="#authentication.scheme.registry" title="Authentication Scheme Registry">Section 5.1</a>) lists registered authentication schemes and their corresponding specifications, |
---|
706 | including the "basic" and "digest" authentication schemes previously defined by <cite title="HTTP Authentication: Basic and Digest Access Authentication" id="rfc.xref.RFC2617.2">RFC 2617</cite>. |
---|
707 | </p> |
---|
708 | </div> |
---|
709 | <div id="conformance"> |
---|
710 | <h3 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a> <a href="#conformance">Conformance and Error Handling</a></h3> |
---|
711 | <div id="rfc.section.1.1.p.1"> |
---|
712 | <p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD |
---|
713 | NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted |
---|
714 | as described in <a href="#RFC2119" id="rfc.xref.RFC2119.1"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>. |
---|
715 | </p> |
---|
716 | </div> |
---|
717 | <div id="rfc.section.1.1.p.2"> |
---|
718 | <p>Conformance criteria and considerations regarding error handling are defined in <a href="p1-messaging.html#conformance" title="Conformance and Error Handling">Section 2.5</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>. |
---|
719 | </p> |
---|
720 | </div> |
---|
721 | </div> |
---|
722 | <div id="notation"> |
---|
723 | <h3 id="rfc.section.1.2"><a href="#rfc.section.1.2">1.2</a> <a href="#notation">Syntax Notation</a></h3> |
---|
724 | <div id="rfc.section.1.2.p.1"> |
---|
725 | <p>This specification uses the Augmented Backus-Naur Form (ABNF) notation of <a href="#RFC5234" id="rfc.xref.RFC5234.1"><cite title="Augmented BNF for Syntax Specifications: ABNF">[RFC5234]</cite></a> with a list extension, defined in <a href="p1-messaging.html#abnf.extension" title="ABNF List Extension: #rule">Section 7</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, that allows for compact definition of comma-separated lists using a '#' operator |
---|
726 | (similar to how the '*' operator indicates repetition). <a href="#imported.abnf" title="Imported ABNF">Appendix B</a> describes rules imported from other documents. <a href="#collected.abnf" title="Collected ABNF">Appendix C</a> shows the collected grammar with all list operators expanded to standard ABNF notation. |
---|
727 | </p> |
---|
728 | </div> |
---|
729 | </div> |
---|
730 | </div> |
---|
731 | <div id="access.authentication.framework"> |
---|
732 | <h2 id="rfc.section.2"><a href="#rfc.section.2">2.</a> <a href="#access.authentication.framework">Access Authentication Framework</a></h2> |
---|
733 | <div id="challenge.and.response"> |
---|
734 | <h3 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a> <a href="#challenge.and.response">Challenge and Response</a></h3> |
---|
735 | <div id="rfc.section.2.1.p.1"> |
---|
736 | <p>HTTP provides a simple challenge-response authentication framework that can be used |
---|
737 | by a server to challenge a client request and by a client to provide authentication |
---|
738 | information. It uses a case-insensitive token as a means to identify the authentication |
---|
739 | scheme, followed by additional information necessary for achieving authentication |
---|
740 | via that scheme. The latter can be either a comma-separated list of parameters or |
---|
741 | a single sequence of characters capable of holding base64-encoded information. |
---|
742 | </p> |
---|
743 | </div> |
---|
744 | <div id="rfc.section.2.1.p.2"> |
---|
745 | <p>Authentication parameters are name=value pairs, where the name token is matched case-insensitively, |
---|
746 | and each parameter name <em class="bcp14">MUST</em> only occur once per challenge. |
---|
747 | </p> |
---|
748 | </div> |
---|
749 | <div id="rfc.figure.u.1"><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span><span id="rfc.iref.g.3"></span> auth-scheme = <a href="#imported.abnf" class="smpl">token</a> |
---|
750 | |
---|
751 | auth-param = <a href="#imported.abnf" class="smpl">token</a> <a href="#imported.abnf" class="smpl">BWS</a> "=" <a href="#imported.abnf" class="smpl">BWS</a> ( <a href="#imported.abnf" class="smpl">token</a> / <a href="#imported.abnf" class="smpl">quoted-string</a> ) |
---|
752 | |
---|
753 | token68 = 1*( <a href="#imported.abnf" class="smpl">ALPHA</a> / <a href="#imported.abnf" class="smpl">DIGIT</a> / |
---|
754 | "-" / "." / "_" / "~" / "+" / "/" ) *"=" |
---|
755 | </pre></div> |
---|
756 | <div id="rfc.section.2.1.p.3"> |
---|
757 | <p>The token68 syntax allows the 66 unreserved URI characters (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>), plus a few others, so that it can hold a base64, base64url (URL and filename safe |
---|
758 | alphabet), base32, or base16 (hex) encoding, with or without padding, but excluding |
---|
759 | whitespace (<a href="#RFC4648" id="rfc.xref.RFC4648.1"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a>). |
---|
760 | </p> |
---|
761 | </div> |
---|
762 | <div id="rfc.section.2.1.p.4"> |
---|
763 | <p>A <a href="#status.401" class="smpl">401 (Unauthorized)</a> response message is used by an origin server to challenge the authorization of a user |
---|
764 | agent, including a <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> header field containing at least one challenge applicable to the requested resource. |
---|
765 | </p> |
---|
766 | </div> |
---|
767 | <div id="rfc.section.2.1.p.5"> |
---|
768 | <p>A <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response message is used by a proxy to challenge the authorization of a client, including |
---|
769 | a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field containing at least one challenge applicable to the proxy for the requested |
---|
770 | resource. |
---|
771 | </p> |
---|
772 | </div> |
---|
773 | <div id="rfc.figure.u.2"><pre class="inline"><span id="rfc.iref.g.4"></span> <a href="#challenge.and.response" class="smpl">challenge</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#imported.abnf" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">token68</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ] |
---|
774 | </pre></div> |
---|
775 | <div class="note"> |
---|
776 | <div id="rfc.section.2.1.p.6"> |
---|
777 | <p><b>Note:</b> Many clients fail to parse a challenge that contains an unknown scheme. A workaround |
---|
778 | for this problem is to list well-supported schemes (such as "basic") first. |
---|
779 | </p> |
---|
780 | </div> |
---|
781 | </div> |
---|
782 | <div id="rfc.section.2.1.p.7"> |
---|
783 | <p>A user agent that wishes to authenticate itself with an origin server — usually, but |
---|
784 | not necessarily, after receiving a <a href="#status.401" class="smpl">401 (Unauthorized)</a> — can do so by including an <a href="#header.authorization" class="smpl">Authorization</a> header field with the request. |
---|
785 | </p> |
---|
786 | </div> |
---|
787 | <div id="rfc.section.2.1.p.8"> |
---|
788 | <p>A client that wishes to authenticate itself with a proxy — usually, but not necessarily, |
---|
789 | after receiving a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> — can do so by including a <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field with the request. |
---|
790 | </p> |
---|
791 | </div> |
---|
792 | <div id="rfc.section.2.1.p.9"> |
---|
793 | <p>Both the <a href="#header.authorization" class="smpl">Authorization</a> field value and the <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> field value contain the client's credentials for the realm of the resource being requested, |
---|
794 | based upon a challenge received in a response (possibly at some point in the past). |
---|
795 | When creating their values, the user agent ought to do so by selecting the challenge |
---|
796 | with what it considers to be the most secure auth-scheme that it understands, obtaining |
---|
797 | credentials from the user as appropriate. Transmission of credentials within header |
---|
798 | field values implies significant security considerations regarding the confidentiality |
---|
799 | of the underlying connection, as described in <a href="#confidentiality.of.credentials" title="Confidentiality of Credentials">Section 6.1</a>. |
---|
800 | </p> |
---|
801 | </div> |
---|
802 | <div id="rfc.figure.u.3"><pre class="inline"><span id="rfc.iref.g.5"></span> <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#imported.abnf" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">token68</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ] |
---|
803 | </pre></div> |
---|
804 | <div id="rfc.section.2.1.p.10"> |
---|
805 | <p>Upon receipt of a request for a protected resource that omits credentials, contains |
---|
806 | invalid credentials (e.g., a bad password) or partial credentials (e.g., when the |
---|
807 | authentication scheme requires more than one round trip), an origin server <em class="bcp14">SHOULD</em> send a <a href="#status.401" class="smpl">401 (Unauthorized)</a> response that contains a <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> header field with at least one (possibly new) challenge applicable to the requested |
---|
808 | resource. |
---|
809 | </p> |
---|
810 | </div> |
---|
811 | <div id="rfc.section.2.1.p.11"> |
---|
812 | <p>Likewise, upon receipt of a request that omits proxy credentials or contains invalid |
---|
813 | or partial proxy credentials, a proxy that requires authentication <em class="bcp14">SHOULD</em> generate a <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that contains a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field with at least one (possibly new) challenge applicable to the proxy. |
---|
814 | </p> |
---|
815 | </div> |
---|
816 | <div id="rfc.section.2.1.p.12"> |
---|
817 | <p>A server that receives valid credentials that are not adequate to gain access ought |
---|
818 | to respond with the <a href="p2-semantics.html#status.403" class="smpl">403 (Forbidden)</a> status code (<a href="p2-semantics.html#status.403" title="403 Forbidden">Section 6.5.3</a> of <a href="#RFC7231" id="rfc.xref.RFC7231.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[RFC7231]</cite></a>). |
---|
819 | </p> |
---|
820 | </div> |
---|
821 | <div id="rfc.section.2.1.p.13"> |
---|
822 | <p>HTTP does not restrict applications to this simple challenge-response framework for |
---|
823 | access authentication. Additional mechanisms can be used, such as authentication at |
---|
824 | the transport level or via message encapsulation, and with additional header fields |
---|
825 | specifying authentication information. However, such additional mechanisms are not |
---|
826 | defined by this specification. |
---|
827 | </p> |
---|
828 | </div> |
---|
829 | </div> |
---|
830 | <div id="protection.space"> |
---|
831 | <h3 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a> <a href="#protection.space">Protection Space (Realm)</a></h3> |
---|
832 | <div id="rfc.section.2.2.p.1"> |
---|
833 | <p>The "<dfn>realm</dfn>" authentication parameter is reserved for use by authentication schemes that wish |
---|
834 | to indicate a scope of protection. |
---|
835 | </p> |
---|
836 | </div> |
---|
837 | <div id="rfc.section.2.2.p.2"> |
---|
838 | <p>A <dfn>protection space</dfn> is defined by the canonical root URI (the scheme and authority components of the effective |
---|
839 | request URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.4"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>) of the server being accessed, in combination with the realm value if present. These |
---|
840 | realms allow the protected resources on a server to be partitioned into a set of protection |
---|
841 | spaces, each with its own authentication scheme and/or authorization database. The |
---|
842 | realm value is a string, generally assigned by the origin server, that can have additional |
---|
843 | semantics specific to the authentication scheme. Note that a response can have multiple |
---|
844 | challenges with the same auth-scheme but with different realms. |
---|
845 | </p> |
---|
846 | </div> |
---|
847 | <div id="rfc.section.2.2.p.3"> |
---|
848 | <p>The protection space determines the domain over which credentials can be automatically |
---|
849 | applied. If a prior request has been authorized, the user agent <em class="bcp14">MAY</em> reuse the same credentials for all other requests within that protection space for |
---|
850 | a period of time determined by the authentication scheme, parameters, and/or user |
---|
851 | preferences (such as a configurable inactivity timeout). Unless specifically allowed |
---|
852 | by the authentication scheme, a single protection space cannot extend outside the |
---|
853 | scope of its server. |
---|
854 | </p> |
---|
855 | </div> |
---|
856 | <div id="rfc.section.2.2.p.4"> |
---|
857 | <p>For historical reasons, a sender <em class="bcp14">MUST</em> only generate the quoted-string syntax. Recipients might have to support both token |
---|
858 | and quoted-string syntax for maximum interoperability with existing clients that have |
---|
859 | been accepting both notations for a long time. |
---|
860 | </p> |
---|
861 | </div> |
---|
862 | </div> |
---|
863 | </div> |
---|
864 | <div id="status.code.definitions"> |
---|
865 | <h2 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a href="#status.code.definitions">Status Code Definitions</a></h2> |
---|
866 | <div id="status.401"> |
---|
867 | <h3 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a> <a href="#status.401">401 Unauthorized</a></h3> |
---|
868 | <div id="rfc.section.3.1.p.1"> |
---|
869 | <p>The <dfn>401 (Unauthorized)</dfn> status code indicates that the request has not been applied because it lacks valid |
---|
870 | authentication credentials for the target resource. The server generating a 401 response <em class="bcp14">MUST</em> send a <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> header field (<a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.1" title="WWW-Authenticate">Section 4.1</a>) containing at least one challenge applicable to the target resource. |
---|
871 | </p> |
---|
872 | </div> |
---|
873 | <div id="rfc.section.3.1.p.2"> |
---|
874 | <p>If the request included authentication credentials, then the 401 response indicates |
---|
875 | that authorization has been refused for those credentials. The user agent <em class="bcp14">MAY</em> repeat the request with a new or replaced <a href="#header.authorization" class="smpl">Authorization</a> header field (<a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section 4.2</a>). If the 401 response contains the same challenge as the prior response, and the |
---|
876 | user agent has already attempted authentication at least once, then the user agent <em class="bcp14">SHOULD</em> present the enclosed representation to the user, since it usually contains relevant |
---|
877 | diagnostic information. |
---|
878 | </p> |
---|
879 | </div> |
---|
880 | </div> |
---|
881 | <div id="status.407"> |
---|
882 | <h3 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a> <a href="#status.407">407 Proxy Authentication Required</a></h3> |
---|
883 | <div id="rfc.section.3.2.p.1"> |
---|
884 | <p>The <dfn>407 (Proxy Authentication Required)</dfn> status code is similar to <a href="#status.401" class="smpl">401 (Unauthorized)</a>, but it indicates that the client needs to authenticate itself in order to use a |
---|
885 | proxy. The proxy <em class="bcp14">MUST</em> send a <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section 4.3</a>) containing a challenge applicable to that proxy for the target resource. The client <em class="bcp14">MAY</em> repeat the request with a new or replaced <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section 4.4</a>). |
---|
886 | </p> |
---|
887 | </div> |
---|
888 | </div> |
---|
889 | </div> |
---|
890 | <div id="header.field.definitions"> |
---|
891 | <h2 id="rfc.section.4"><a href="#rfc.section.4">4.</a> <a href="#header.field.definitions">Header Field Definitions</a></h2> |
---|
892 | <div id="rfc.section.4.p.1"> |
---|
893 | <p>This section defines the syntax and semantics of header fields related to the HTTP |
---|
894 | authentication framework. |
---|
895 | </p> |
---|
896 | </div> |
---|
897 | <div id="header.www-authenticate"> |
---|
898 | <h3 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1</a> <a href="#header.www-authenticate">WWW-Authenticate</a></h3> |
---|
899 | <div id="rfc.section.4.1.p.1"> |
---|
900 | <p>The "WWW-Authenticate" header field indicates the authentication scheme(s) and parameters |
---|
901 | applicable to the target resource. |
---|
902 | </p> |
---|
903 | </div> |
---|
904 | <div id="rfc.figure.u.4"><pre class="inline"><span id="rfc.iref.g.6"></span> <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> |
---|
905 | </pre></div> |
---|
906 | <div id="rfc.section.4.1.p.2"> |
---|
907 | <p>A server generating a <a href="#status.401" class="smpl">401 (Unauthorized)</a> response <em class="bcp14">MUST</em> send a WWW-Authenticate header field containing at least one challenge. A server <em class="bcp14">MAY</em> generate a WWW-Authenticate header field in other response messages to indicate that |
---|
908 | supplying credentials (or different credentials) might affect the response. |
---|
909 | </p> |
---|
910 | </div> |
---|
911 | <div id="rfc.section.4.1.p.3"> |
---|
912 | <p>A proxy forwarding a response <em class="bcp14">MUST NOT</em> modify any <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> fields in that response. |
---|
913 | </p> |
---|
914 | </div> |
---|
915 | <div id="rfc.section.4.1.p.4"> |
---|
916 | <p>User agents are advised to take special care in parsing the field value, as it might |
---|
917 | contain more than one challenge, and each challenge can contain a comma-separated |
---|
918 | list of authentication parameters. Furthermore, the header field itself can occur |
---|
919 | multiple times. |
---|
920 | </p> |
---|
921 | </div> |
---|
922 | <div id="rfc.figure.u.5"> |
---|
923 | <p>For instance:</p><pre class="text"> WWW-Authenticate: Newauth realm="apps", type=1, |
---|
924 | title="Login to \"apps\"", Basic realm="simple" |
---|
925 | </pre><p>This header field contains two challenges; one for the "Newauth" scheme with a realm |
---|
926 | value of "apps", and two additional parameters "type" and "title", and another one |
---|
927 | for the "Basic" scheme with a realm value of "simple". |
---|
928 | </p> |
---|
929 | </div> |
---|
930 | <div class="note"> |
---|
931 | <div id="rfc.section.4.1.p.5"> |
---|
932 | <p><b>Note:</b> The challenge grammar production uses the list syntax as well. Therefore, a sequence |
---|
933 | of comma, whitespace, and comma can be considered either as applying to the preceding |
---|
934 | challenge, or to be an empty entry in the list of challenges. In practice, this ambiguity |
---|
935 | does not affect the semantics of the header field value and thus is harmless. |
---|
936 | </p> |
---|
937 | </div> |
---|
938 | </div> |
---|
939 | </div> |
---|
940 | <div id="header.authorization"> |
---|
941 | <h3 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a> <a href="#header.authorization">Authorization</a></h3> |
---|
942 | <div id="rfc.section.4.2.p.1"> |
---|
943 | <p>The "Authorization" header field allows a user agent to authenticate itself with an |
---|
944 | origin server — usually, but not necessarily, after receiving a <a href="#status.401" class="smpl">401 (Unauthorized)</a> response. Its value consists of credentials containing the authentication information |
---|
945 | of the user agent for the realm of the resource being requested. |
---|
946 | </p> |
---|
947 | </div> |
---|
948 | <div id="rfc.figure.u.6"><pre class="inline"><span id="rfc.iref.g.7"></span> <a href="#header.authorization" class="smpl">Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> |
---|
949 | </pre></div> |
---|
950 | <div id="rfc.section.4.2.p.2"> |
---|
951 | <p>If a request is authenticated and a realm specified, the same credentials are presumed |
---|
952 | to be valid for all other requests within this realm (assuming that the authentication |
---|
953 | scheme itself does not require otherwise, such as credentials that vary according |
---|
954 | to a challenge value or using synchronized clocks). |
---|
955 | </p> |
---|
956 | </div> |
---|
957 | <div id="rfc.section.4.2.p.3"> |
---|
958 | <p>A proxy forwarding a request <em class="bcp14">MUST NOT</em> modify any <a href="#header.authorization" class="smpl">Authorization</a> fields in that request. See <a href="p6-cache.html#caching.authenticated.responses" title="Storing Responses to Authenticated Requests">Section 3.2</a> of <a href="#RFC7234" id="rfc.xref.RFC7234.1"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Caching">[RFC7234]</cite></a> for details of and requirements pertaining to handling of the Authorization field |
---|
959 | by HTTP caches. |
---|
960 | </p> |
---|
961 | </div> |
---|
962 | </div> |
---|
963 | <div id="header.proxy-authenticate"> |
---|
964 | <h3 id="rfc.section.4.3"><a href="#rfc.section.4.3">4.3</a> <a href="#header.proxy-authenticate">Proxy-Authenticate</a></h3> |
---|
965 | <div id="rfc.section.4.3.p.1"> |
---|
966 | <p>The "Proxy-Authenticate" header field consists of at least one challenge that indicates |
---|
967 | the authentication scheme(s) and parameters applicable to the proxy for this effective |
---|
968 | request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 5.5</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>). A proxy <em class="bcp14">MUST</em> send at least one Proxy-Authenticate header field in each <a href="#status.407" class="smpl">407 (Proxy Authentication Required)</a> response that it generates. |
---|
969 | </p> |
---|
970 | </div> |
---|
971 | <div id="rfc.figure.u.7"><pre class="inline"><span id="rfc.iref.g.8"></span> <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> |
---|
972 | </pre></div> |
---|
973 | <div id="rfc.section.4.3.p.2"> |
---|
974 | <p>Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on |
---|
975 | the response chain. This is because only the client that chose a given proxy is likely |
---|
976 | to have the credentials necessary for authentication. However, when multiple proxies |
---|
977 | are used within the same administrative domain, such as office and regional caching |
---|
978 | proxies within a large corporate network, it is common for credentials to be generated |
---|
979 | by the user agent and passed through the hierarchy until consumed. Hence, in such |
---|
980 | a configuration, it will appear as if Proxy-Authenticate is being forwarded because |
---|
981 | each proxy will send the same challenge set. |
---|
982 | </p> |
---|
983 | </div> |
---|
984 | <div id="rfc.section.4.3.p.3"> |
---|
985 | <p>Note that the parsing considerations for <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> apply to this header field as well; see <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section 4.1</a> for details. |
---|
986 | </p> |
---|
987 | </div> |
---|
988 | </div> |
---|
989 | <div id="header.proxy-authorization"> |
---|
990 | <h3 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a> <a href="#header.proxy-authorization">Proxy-Authorization</a></h3> |
---|
991 | <div id="rfc.section.4.4.p.1"> |
---|
992 | <p>The "Proxy-Authorization" header field allows the client to identify itself (or its |
---|
993 | user) to a proxy that requires authentication. Its value consists of credentials containing |
---|
994 | the authentication information of the client for the proxy and/or realm of the resource |
---|
995 | being requested. |
---|
996 | </p> |
---|
997 | </div> |
---|
998 | <div id="rfc.figure.u.8"><pre class="inline"><span id="rfc.iref.g.9"></span> <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> |
---|
999 | </pre></div> |
---|
1000 | <div id="rfc.section.4.4.p.2"> |
---|
1001 | <p>Unlike <a href="#header.authorization" class="smpl">Authorization</a>, the Proxy-Authorization header field applies only to the next inbound proxy that |
---|
1002 | demanded authentication using the <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> field. When multiple proxies are used in a chain, the Proxy-Authorization header field |
---|
1003 | is consumed by the first inbound proxy that was expecting to receive credentials. |
---|
1004 | A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism |
---|
1005 | by which the proxies cooperatively authenticate a given request. |
---|
1006 | </p> |
---|
1007 | </div> |
---|
1008 | </div> |
---|
1009 | </div> |
---|
1010 | <div id="IANA.considerations"> |
---|
1011 | <h2 id="rfc.section.5"><a href="#rfc.section.5">5.</a> <a href="#IANA.considerations">IANA Considerations</a></h2> |
---|
1012 | <div id="authentication.scheme.registry"> |
---|
1013 | <h3 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1</a> <a href="#authentication.scheme.registry">Authentication Scheme Registry</a></h3> |
---|
1014 | <div id="rfc.section.5.1.p.1"> |
---|
1015 | <p>The "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" defines the |
---|
1016 | namespace for the authentication schemes in challenges and credentials. It has been |
---|
1017 | created and is now maintained at <<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>>. |
---|
1018 | </p> |
---|
1019 | </div> |
---|
1020 | <div id="authentication.scheme.registry.procedure"> |
---|
1021 | <h4 id="rfc.section.5.1.1"><a href="#rfc.section.5.1.1">5.1.1</a> <a href="#authentication.scheme.registry.procedure">Procedure</a></h4> |
---|
1022 | <div id="rfc.section.5.1.1.p.1"> |
---|
1023 | <p>Registrations <em class="bcp14">MUST</em> include the following fields: |
---|
1024 | </p> |
---|
1025 | <ul> |
---|
1026 | <li>Authentication Scheme Name</li> |
---|
1027 | <li>Pointer to specification text</li> |
---|
1028 | <li>Notes (optional)</li> |
---|
1029 | </ul> |
---|
1030 | </div> |
---|
1031 | <div id="rfc.section.5.1.1.p.2"> |
---|
1032 | <p>Values to be added to this namespace require IETF Review (see <a href="#RFC5226" id="rfc.xref.RFC5226.1"><cite title="Guidelines for Writing an IANA Considerations Section in RFCs">[RFC5226]</cite></a>, <a href="https://tools.ietf.org/html/rfc5226#section-4.1">Section 4.1</a>). |
---|
1033 | </p> |
---|
1034 | </div> |
---|
1035 | </div> |
---|
1036 | <div id="considerations.for.new.authentication.schemes"> |
---|
1037 | <h4 id="rfc.section.5.1.2"><a href="#rfc.section.5.1.2">5.1.2</a> <a href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></h4> |
---|
1038 | <div id="rfc.section.5.1.2.p.1" class="avoidbreakafter"> |
---|
1039 | <p>There are certain aspects of the HTTP Authentication Framework that put constraints |
---|
1040 | on how new authentication schemes can work: |
---|
1041 | </p> |
---|
1042 | </div> |
---|
1043 | <div id="rfc.section.5.1.2.p.2"> |
---|
1044 | <ul> |
---|
1045 | <li> |
---|
1046 | <p>HTTP authentication is presumed to be stateless: all of the information necessary |
---|
1047 | to authenticate a request <em class="bcp14">MUST</em> be provided in the request, rather than be dependent on the server remembering prior |
---|
1048 | requests. Authentication based on, or bound to, the underlying connection is outside |
---|
1049 | the scope of this specification and inherently flawed unless steps are taken to ensure |
---|
1050 | that the connection cannot be used by any party other than the authenticated user |
---|
1051 | (see <a href="p1-messaging.html#intermediaries" title="Intermediaries">Section 2.3</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>). |
---|
1052 | </p> |
---|
1053 | </li> |
---|
1054 | <li> |
---|
1055 | <p>The authentication parameter "realm" is reserved for defining protection spaces as |
---|
1056 | described in <a href="#protection.space" title="Protection Space (Realm)">Section 2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition. |
---|
1057 | </p> |
---|
1058 | </li> |
---|
1059 | <li> |
---|
1060 | <p>The "token68" notation was introduced for compatibility with existing authentication |
---|
1061 | schemes and can only be used once per challenge or credential. Thus, new schemes ought |
---|
1062 | to use the auth-param syntax instead, because otherwise future extensions will be |
---|
1063 | impossible. |
---|
1064 | </p> |
---|
1065 | </li> |
---|
1066 | <li> |
---|
1067 | <p>The parsing of challenges and credentials is defined by this specification and cannot |
---|
1068 | be modified by new authentication schemes. When the auth-param syntax is used, all |
---|
1069 | parameters ought to support both token and quoted-string syntax, and syntactical constraints |
---|
1070 | ought to be defined on the field value after parsing (i.e., quoted-string processing). |
---|
1071 | This is necessary so that recipients can use a generic parser that applies to all |
---|
1072 | authentication schemes. |
---|
1073 | </p> |
---|
1074 | <p><b>Note:</b> The fact that the value syntax for the "realm" parameter is restricted to quoted-string |
---|
1075 | was a bad design choice not to be repeated for new parameters. |
---|
1076 | </p> |
---|
1077 | </li> |
---|
1078 | <li> |
---|
1079 | <p>Definitions of new schemes ought to define the treatment of unknown extension parameters. |
---|
1080 | In general, a "must-ignore" rule is preferable to a "must-understand" rule, because |
---|
1081 | otherwise it will be hard to introduce new parameters in the presence of legacy recipients. |
---|
1082 | Furthermore, it's good to describe the policy for defining new parameters (such as |
---|
1083 | "update the specification" or "use this registry"). |
---|
1084 | </p> |
---|
1085 | </li> |
---|
1086 | <li> |
---|
1087 | <p>Authentication schemes need to document whether they are usable in origin-server authentication |
---|
1088 | (i.e., using <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>), and/or proxy authentication (i.e., using <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a>). |
---|
1089 | </p> |
---|
1090 | </li> |
---|
1091 | <li> |
---|
1092 | <p>The credentials carried in an <a href="#header.authorization" class="smpl">Authorization</a> header field are specific to the user agent and, therefore, have the same effect on |
---|
1093 | HTTP caches as the "private" Cache-Control response directive (<a href="p6-cache.html#cache-response-directive.private" title="private">Section 5.2.2.6</a> of <a href="#RFC7234" id="rfc.xref.RFC7234.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Caching">[RFC7234]</cite></a>), within the scope of the request in which they appear. |
---|
1094 | </p> |
---|
1095 | <p>Therefore, new authentication schemes that choose not to carry credentials in the <a href="#header.authorization" class="smpl">Authorization</a> header field (e.g., using a newly defined header field) will need to explicitly disallow |
---|
1096 | caching, by mandating the use of either Cache-Control request directives (e.g., "no-store", <a href="p6-cache.html#cache-request-directive.no-store" title="no-store">Section 5.2.1.5</a> of <a href="#RFC7234" id="rfc.xref.RFC7234.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Caching">[RFC7234]</cite></a>) or response directives (e.g., "private"). |
---|
1097 | </p> |
---|
1098 | </li> |
---|
1099 | </ul> |
---|
1100 | </div> |
---|
1101 | </div> |
---|
1102 | </div> |
---|
1103 | <div id="status.code.registration"> |
---|
1104 | <h3 id="rfc.section.5.2"><a href="#rfc.section.5.2">5.2</a> <a href="#status.code.registration">Status Code Registration</a></h3> |
---|
1105 | <div id="rfc.section.5.2.p.1" class="avoidbreakafter"> |
---|
1106 | <p>The "Hypertext Transfer Protocol (HTTP) Status Code Registry" located at <<a href="http://www.iana.org/assignments/http-status-codes">http://www.iana.org/assignments/http-status-codes</a>> has been updated with the registrations below: |
---|
1107 | </p> |
---|
1108 | </div> |
---|
1109 | <div id="rfc.table.1"> |
---|
1110 | <div id="iana.status.code.registration.table"></div> |
---|
1111 | <table class="tt full tleft" cellpadding="3" cellspacing="0"> |
---|
1112 | <thead> |
---|
1113 | <tr> |
---|
1114 | <th>Value</th> |
---|
1115 | <th>Description</th> |
---|
1116 | <th>Reference</th> |
---|
1117 | </tr> |
---|
1118 | </thead> |
---|
1119 | <tbody> |
---|
1120 | <tr> |
---|
1121 | <td class="left">401</td> |
---|
1122 | <td class="left">Unauthorized</td> |
---|
1123 | <td class="left"><a href="#status.401" id="rfc.xref.status.401.1" title="401 Unauthorized">Section 3.1</a> |
---|
1124 | </td> |
---|
1125 | </tr> |
---|
1126 | <tr> |
---|
1127 | <td class="left">407</td> |
---|
1128 | <td class="left">Proxy Authentication Required</td> |
---|
1129 | <td class="left"><a href="#status.407" id="rfc.xref.status.407.1" title="407 Proxy Authentication Required">Section 3.2</a> |
---|
1130 | </td> |
---|
1131 | </tr> |
---|
1132 | </tbody> |
---|
1133 | </table> |
---|
1134 | </div> |
---|
1135 | </div> |
---|
1136 | <div id="header.field.registration"> |
---|
1137 | <h3 id="rfc.section.5.3"><a href="#rfc.section.5.3">5.3</a> <a href="#header.field.registration">Header Field Registration</a></h3> |
---|
1138 | <div id="rfc.section.5.3.p.1"> |
---|
1139 | <p>HTTP header fields are registered within the "Message Headers" registry maintained |
---|
1140 | at <<a href="http://www.iana.org/assignments/message-headers/">http://www.iana.org/assignments/message-headers/</a>>. |
---|
1141 | </p> |
---|
1142 | </div> |
---|
1143 | <div id="rfc.section.5.3.p.2"> |
---|
1144 | <p>This document defines the following HTTP header fields, so the "Permanent Message |
---|
1145 | Header Field Names" registry has been updated accordingly (see <a href="#BCP90" id="rfc.xref.BCP90.1"><cite title="Registration Procedures for Message Header Fields">[BCP90]</cite></a>). |
---|
1146 | </p> |
---|
1147 | </div> |
---|
1148 | <div id="rfc.table.2"> |
---|
1149 | <div id="iana.header.registration.table"></div> |
---|
1150 | <table class="tt full tleft" cellpadding="3" cellspacing="0"> |
---|
1151 | <thead> |
---|
1152 | <tr> |
---|
1153 | <th>Header Field Name</th> |
---|
1154 | <th>Protocol</th> |
---|
1155 | <th>Status</th> |
---|
1156 | <th>Reference</th> |
---|
1157 | </tr> |
---|
1158 | </thead> |
---|
1159 | <tbody> |
---|
1160 | <tr> |
---|
1161 | <td class="left">Authorization</td> |
---|
1162 | <td class="left">http</td> |
---|
1163 | <td class="left">standard</td> |
---|
1164 | <td class="left"><a href="#header.authorization" id="rfc.xref.header.authorization.2" title="Authorization">Section 4.2</a> |
---|
1165 | </td> |
---|
1166 | </tr> |
---|
1167 | <tr> |
---|
1168 | <td class="left">Proxy-Authenticate</td> |
---|
1169 | <td class="left">http</td> |
---|
1170 | <td class="left">standard</td> |
---|
1171 | <td class="left"><a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.2" title="Proxy-Authenticate">Section 4.3</a> |
---|
1172 | </td> |
---|
1173 | </tr> |
---|
1174 | <tr> |
---|
1175 | <td class="left">Proxy-Authorization</td> |
---|
1176 | <td class="left">http</td> |
---|
1177 | <td class="left">standard</td> |
---|
1178 | <td class="left"><a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.2" title="Proxy-Authorization">Section 4.4</a> |
---|
1179 | </td> |
---|
1180 | </tr> |
---|
1181 | <tr> |
---|
1182 | <td class="left">WWW-Authenticate</td> |
---|
1183 | <td class="left">http</td> |
---|
1184 | <td class="left">standard</td> |
---|
1185 | <td class="left"><a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.3" title="WWW-Authenticate">Section 4.1</a> |
---|
1186 | </td> |
---|
1187 | </tr> |
---|
1188 | </tbody> |
---|
1189 | </table> |
---|
1190 | </div> |
---|
1191 | <div id="rfc.section.5.3.p.3"> |
---|
1192 | <p>The change controller is: "IETF (iesg@ietf.org) - Internet Engineering Task Force".</p> |
---|
1193 | </div> |
---|
1194 | </div> |
---|
1195 | </div> |
---|
1196 | <div id="security.considerations"> |
---|
1197 | <h2 id="rfc.section.6"><a href="#rfc.section.6">6.</a> <a href="#security.considerations">Security Considerations</a></h2> |
---|
1198 | <div id="rfc.section.6.p.1"> |
---|
1199 | <p>This section is meant to inform developers, information providers, and users of known |
---|
1200 | security concerns specific to HTTP authentication. More general security considerations |
---|
1201 | are addressed in HTTP messaging <a href="#RFC7230" id="rfc.xref.RFC7230.7"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a> and semantics <a href="#RFC7231" id="rfc.xref.RFC7231.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[RFC7231]</cite></a>. |
---|
1202 | </p> |
---|
1203 | </div> |
---|
1204 | <div id="rfc.section.6.p.2"> |
---|
1205 | <p>Everything about the topic of HTTP authentication is a security consideration, so |
---|
1206 | the list of considerations below is not exhaustive. Furthermore, it is limited to |
---|
1207 | security considerations regarding the authentication framework, in general, rather |
---|
1208 | than discussing all of the potential considerations for specific authentication schemes |
---|
1209 | (which ought to be documented in the specifications that define those schemes). Various |
---|
1210 | organizations maintain topical information and links to current research on Web application |
---|
1211 | security (e.g., <a href="#OWASP" id="rfc.xref.OWASP.1"><cite title="A Guide to Building Secure Web Applications and Web Services">[OWASP]</cite></a>), including common pitfalls for implementing and using the authentication schemes |
---|
1212 | found in practice. |
---|
1213 | </p> |
---|
1214 | </div> |
---|
1215 | <div id="confidentiality.of.credentials"> |
---|
1216 | <h3 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a> <a href="#confidentiality.of.credentials">Confidentiality of Credentials</a></h3> |
---|
1217 | <div id="rfc.section.6.1.p.1"> |
---|
1218 | <p>The HTTP authentication framework does not define a single mechanism for maintaining |
---|
1219 | the confidentiality of credentials; instead, each authentication scheme defines how |
---|
1220 | the credentials are encoded prior to transmission. While this provides flexibility |
---|
1221 | for the development of future authentication schemes, it is inadequate for the protection |
---|
1222 | of existing schemes that provide no confidentiality on their own, or that do not sufficiently |
---|
1223 | protect against replay attacks. Furthermore, if the server expects credentials that |
---|
1224 | are specific to each individual user, the exchange of those credentials will have |
---|
1225 | the effect of identifying that user even if the content within credentials remains |
---|
1226 | confidential. |
---|
1227 | </p> |
---|
1228 | </div> |
---|
1229 | <div id="rfc.section.6.1.p.2"> |
---|
1230 | <p>HTTP depends on the security properties of the underlying transport- or session-level |
---|
1231 | connection to provide confidential transmission of header fields. In other words, |
---|
1232 | if a server limits access to authenticated users using this framework, the server |
---|
1233 | needs to ensure that the connection is properly secured in accordance with the nature |
---|
1234 | of the authentication scheme used. For example, services that depend on individual |
---|
1235 | user authentication often require a connection to be secured with TLS ("Transport |
---|
1236 | Layer Security", <a href="#RFC5246" id="rfc.xref.RFC5246.1"><cite title="The Transport Layer Security (TLS) Protocol Version 1.2">[RFC5246]</cite></a>) prior to exchanging any credentials. |
---|
1237 | </p> |
---|
1238 | </div> |
---|
1239 | </div> |
---|
1240 | <div id="auth.credentials.and.idle.clients"> |
---|
1241 | <h3 id="rfc.section.6.2"><a href="#rfc.section.6.2">6.2</a> <a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></h3> |
---|
1242 | <div id="rfc.section.6.2.p.1"> |
---|
1243 | <p>Existing HTTP clients and user agents typically retain authentication information |
---|
1244 | indefinitely. HTTP does not provide a mechanism for the origin server to direct clients |
---|
1245 | to discard these cached credentials, since the protocol has no awareness of how credentials |
---|
1246 | are obtained or managed by the user agent. The mechanisms for expiring or revoking |
---|
1247 | credentials can be specified as part of an authentication scheme definition. |
---|
1248 | </p> |
---|
1249 | </div> |
---|
1250 | <div id="rfc.section.6.2.p.2"> |
---|
1251 | <p>Circumstances under which credential caching can interfere with the application's |
---|
1252 | security model include but are not limited to: |
---|
1253 | </p> |
---|
1254 | <ul> |
---|
1255 | <li>Clients that have been idle for an extended period, following which the server might |
---|
1256 | wish to cause the client to re-prompt the user for credentials. |
---|
1257 | </li> |
---|
1258 | <li>Applications that include a session termination indication (such as a "logout" or |
---|
1259 | "commit" button on a page) after which the server side of the application "knows" |
---|
1260 | that there is no further reason for the client to retain the credentials. |
---|
1261 | </li> |
---|
1262 | </ul> |
---|
1263 | </div> |
---|
1264 | <div id="rfc.section.6.2.p.3"> |
---|
1265 | <p>User agents that cache credentials are encouraged to provide a readily accessible |
---|
1266 | mechanism for discarding cached credentials under user control. |
---|
1267 | </p> |
---|
1268 | </div> |
---|
1269 | </div> |
---|
1270 | <div id="protection.spaces"> |
---|
1271 | <h3 id="rfc.section.6.3"><a href="#rfc.section.6.3">6.3</a> <a href="#protection.spaces">Protection Spaces</a></h3> |
---|
1272 | <div id="rfc.section.6.3.p.1"> |
---|
1273 | <p>Authentication schemes that solely rely on the "realm" mechanism for establishing |
---|
1274 | a protection space will expose credentials to all resources on an origin server. Clients |
---|
1275 | that have successfully made authenticated requests with a resource can use the same |
---|
1276 | authentication credentials for other resources on the same origin server. This makes |
---|
1277 | it possible for a different resource to harvest authentication credentials for other |
---|
1278 | resources. |
---|
1279 | </p> |
---|
1280 | </div> |
---|
1281 | <div id="rfc.section.6.3.p.2"> |
---|
1282 | <p>This is of particular concern when an origin server hosts resources for multiple parties |
---|
1283 | under the same canonical root URI (<a href="#protection.space" title="Protection Space (Realm)">Section 2.2</a>). Possible mitigation strategies include restricting direct access to authentication |
---|
1284 | credentials (i.e., not making the content of the <a href="#header.authorization" class="smpl">Authorization</a> request header field available), and separating protection spaces by using a different |
---|
1285 | host name (or port number) for each party. |
---|
1286 | </p> |
---|
1287 | </div> |
---|
1288 | </div> |
---|
1289 | </div> |
---|
1290 | <div id="acks"> |
---|
1291 | <h2 id="rfc.section.7"><a href="#rfc.section.7">7.</a> <a href="#acks">Acknowledgments</a></h2> |
---|
1292 | <div id="rfc.section.7.p.1"> |
---|
1293 | <p>This specification takes over the definition of the HTTP Authentication Framework, |
---|
1294 | previously defined in <cite title="HTTP Authentication: Basic and Digest Access Authentication" id="rfc.xref.RFC2617.3">RFC 2617</cite>. We thank John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, |
---|
1295 | Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on that specification. |
---|
1296 | See <a href="https://tools.ietf.org/html/rfc2617#section-6">Section 6</a> of <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a> for further acknowledgements. |
---|
1297 | </p> |
---|
1298 | </div> |
---|
1299 | <div id="rfc.section.7.p.2"> |
---|
1300 | <p>See <a href="p1-messaging.html#acks" title="Acknowledgments">Section 10</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.8"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a> for the Acknowledgments related to this document revision. |
---|
1301 | </p> |
---|
1302 | </div> |
---|
1303 | </div> |
---|
1304 | <h2 id="rfc.references"><a id="rfc.section.8" href="#rfc.section.8">8.</a> References |
---|
1305 | </h2> |
---|
1306 | <h3 id="rfc.references.1"><a href="#rfc.section.8.1" id="rfc.section.8.1">8.1</a> Normative References |
---|
1307 | </h3> |
---|
1308 | <dl class="reference"> |
---|
1309 | <dt id="RFC2119">[RFC2119]</dt> |
---|
1310 | <dd>Bradner, S., “<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>”, BCP 14, RFC 2119, March 1997. |
---|
1311 | </dd> |
---|
1312 | <dt id="RFC5234">[RFC5234]</dt> |
---|
1313 | <dd>Crocker, D., Ed. and P. Overell, “<a href="https://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>”, STD 68, RFC 5234, January 2008. |
---|
1314 | </dd> |
---|
1315 | <dt id="RFC7230">[RFC7230]</dt> |
---|
1316 | <dd>Fielding, R., Ed. and J. Reschke, Ed., “<a href="https://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-latest">Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</a>”, Internet-Draft draft-ietf-httpbis-p1-messaging-latest (work in progress), June 2014. |
---|
1317 | </dd> |
---|
1318 | <dt id="RFC7231">[RFC7231]</dt> |
---|
1319 | <dd>Fielding, R., Ed. and J. Reschke, Ed., “<a href="https://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-latest">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a>”, Internet-Draft draft-ietf-httpbis-p2-semantics-latest (work in progress), June 2014. |
---|
1320 | </dd> |
---|
1321 | <dt id="RFC7234">[RFC7234]</dt> |
---|
1322 | <dd>Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, Ed., “<a href="https://tools.ietf.org/html/draft-ietf-httpbis-p6-cache-latest">Hypertext Transfer Protocol (HTTP/1.1): Caching</a>”, Internet-Draft draft-ietf-httpbis-p6-cache-latest (work in progress), June 2014. |
---|
1323 | </dd> |
---|
1324 | </dl> |
---|
1325 | <h3 id="rfc.references.2"><a href="#rfc.section.8.2" id="rfc.section.8.2">8.2</a> Informative References |
---|
1326 | </h3> |
---|
1327 | <dl class="reference"> |
---|
1328 | <dt id="BCP90">[BCP90]</dt> |
---|
1329 | <dd>Klyne, G., Nottingham, M., and J. Mogul, “<a href="https://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>”, BCP 90, RFC 3864, September 2004. |
---|
1330 | </dd> |
---|
1331 | <dt id="OWASP">[OWASP]</dt> |
---|
1332 | <dd>van der Stock, A., Ed., “<a href="https://www.owasp.org/">A Guide to Building Secure Web Applications and Web Services</a>”, The Open Web Application Security Project (OWASP) 2.0.1, July 2005, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>. |
---|
1333 | </dd> |
---|
1334 | <dt id="RFC2616">[RFC2616]</dt> |
---|
1335 | <dd>Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, “<a href="https://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC 2616, June 1999. |
---|
1336 | </dd> |
---|
1337 | <dt id="RFC2617">[RFC2617]</dt> |
---|
1338 | <dd>Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, “<a href="https://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC 2617, June 1999. |
---|
1339 | </dd> |
---|
1340 | <dt id="RFC3986">[RFC3986]</dt> |
---|
1341 | <dd>Berners-Lee, T., Fielding, R., and L. Masinter, “<a href="https://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD 66, RFC 3986, January 2005. |
---|
1342 | </dd> |
---|
1343 | <dt id="RFC4648">[RFC4648]</dt> |
---|
1344 | <dd>Josefsson, S., “<a href="https://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>”, RFC 4648, October 2006. |
---|
1345 | </dd> |
---|
1346 | <dt id="RFC5226">[RFC5226]</dt> |
---|
1347 | <dd>Narten, T. and H. Alvestrand, “<a href="https://tools.ietf.org/html/rfc5226">Guidelines for Writing an IANA Considerations Section in RFCs</a>”, BCP 26, RFC 5226, May 2008. |
---|
1348 | </dd> |
---|
1349 | <dt id="RFC5246">[RFC5246]</dt> |
---|
1350 | <dd>Dierks, T. and E. Rescorla, “<a href="https://tools.ietf.org/html/rfc5246">The Transport Layer Security (TLS) Protocol Version 1.2</a>”, RFC 5246, August 2008. |
---|
1351 | </dd> |
---|
1352 | </dl> |
---|
1353 | <div id="changes.from.rfc.2616"> |
---|
1354 | <h2 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a> <a href="#changes.from.rfc.2616">Changes from RFCs 2616 and 2617</a></h2> |
---|
1355 | <div id="rfc.section.A.p.1"> |
---|
1356 | <p>The framework for HTTP Authentication is now defined by this document, rather than |
---|
1357 | RFC 2617. |
---|
1358 | </p> |
---|
1359 | </div> |
---|
1360 | <div id="rfc.section.A.p.2"> |
---|
1361 | <p>The "realm" parameter is no longer always required on challenges; consequently, the |
---|
1362 | ABNF allows challenges without any auth parameters. (<a href="#access.authentication.framework" title="Access Authentication Framework">Section 2</a>) |
---|
1363 | </p> |
---|
1364 | </div> |
---|
1365 | <div id="rfc.section.A.p.3"> |
---|
1366 | <p>The "token68" alternative to auth-param lists has been added for consistency with |
---|
1367 | legacy authentication schemes such as "Basic". (<a href="#access.authentication.framework" title="Access Authentication Framework">Section 2</a>) |
---|
1368 | </p> |
---|
1369 | </div> |
---|
1370 | <div id="rfc.section.A.p.4"> |
---|
1371 | <p>This specification introduces the Authentication Scheme Registry, along with considerations |
---|
1372 | for new authentication schemes. (<a href="#authentication.scheme.registry" title="Authentication Scheme Registry">Section 5.1</a>) |
---|
1373 | </p> |
---|
1374 | </div> |
---|
1375 | </div> |
---|
1376 | <div id="imported.abnf"> |
---|
1377 | <h2 id="rfc.section.B"><a href="#rfc.section.B">B.</a> <a href="#imported.abnf">Imported ABNF</a></h2> |
---|
1378 | <div id="rfc.section.B.p.1"> |
---|
1379 | <p>The following core rules are included by reference, as defined in <a href="https://tools.ietf.org/html/rfc5234#appendix-B.1">Appendix B.1</a> of <a href="#RFC5234" id="rfc.xref.RFC5234.2"><cite title="Augmented BNF for Syntax Specifications: ABNF">[RFC5234]</cite></a>: ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls), DIGIT (decimal |
---|
1380 | 0-9), DQUOTE (double quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET |
---|
1381 | (any 8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII character). |
---|
1382 | </p> |
---|
1383 | </div> |
---|
1384 | <div id="rfc.section.B.p.2" class="avoidbreakafter"> |
---|
1385 | <p>The rules below are defined in <a href="#RFC7230" id="rfc.xref.RFC7230.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>: |
---|
1386 | </p> |
---|
1387 | </div> |
---|
1388 | <div id="rfc.figure.u.9"><pre class="inline"> <a href="#imported.abnf" class="smpl">BWS</a> = <BWS, see <a href="#RFC7230" id="rfc.xref.RFC7230.10"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, <a href="p1-messaging.html#whitespace" title="Whitespace">Section 3.2.3</a>> |
---|
1389 | <a href="#imported.abnf" class="smpl">OWS</a> = <OWS, see <a href="#RFC7230" id="rfc.xref.RFC7230.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, <a href="p1-messaging.html#whitespace" title="Whitespace">Section 3.2.3</a>> |
---|
1390 | <a href="#imported.abnf" class="smpl">quoted-string</a> = <quoted-string, see <a href="#RFC7230" id="rfc.xref.RFC7230.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, <a href="p1-messaging.html#field.components" title="Field Value Components">Section 3.2.6</a>> |
---|
1391 | <a href="#imported.abnf" class="smpl">token</a> = <token, see <a href="#RFC7230" id="rfc.xref.RFC7230.13"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>, <a href="p1-messaging.html#field.components" title="Field Value Components">Section 3.2.6</a>> |
---|
1392 | </pre></div> |
---|
1393 | </div> |
---|
1394 | <div id="collected.abnf"> |
---|
1395 | <h2 id="rfc.section.C"><a href="#rfc.section.C">C.</a> <a href="#collected.abnf">Collected ABNF</a></h2> |
---|
1396 | <div id="rfc.section.C.p.1"> |
---|
1397 | <p>In the collected ABNF below, list rules are expanded as per <a href="p1-messaging.html#notation" title="Syntax Notation">Section 1.2</a> of <a href="#RFC7230" id="rfc.xref.RFC7230.14"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[RFC7230]</cite></a>. |
---|
1398 | </p> |
---|
1399 | </div> |
---|
1400 | <div id="rfc.figure.u.10"><pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials |
---|
1401 | |
---|
1402 | <a href="#imported.abnf" class="smpl">BWS</a> = <BWS, see [RFC7230], Section 3.2.3> |
---|
1403 | |
---|
1404 | <a href="#imported.abnf" class="smpl">OWS</a> = <OWS, see [RFC7230], Section 3.2.3> |
---|
1405 | |
---|
1406 | <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = *( "," OWS ) challenge *( OWS "," [ OWS |
---|
1407 | challenge ] ) |
---|
1408 | <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = credentials |
---|
1409 | |
---|
1410 | <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = *( "," OWS ) challenge *( OWS "," [ OWS challenge |
---|
1411 | ] ) |
---|
1412 | |
---|
1413 | <a href="#challenge.and.response" class="smpl">auth-param</a> = token BWS "=" BWS ( token / quoted-string ) |
---|
1414 | <a href="#challenge.and.response" class="smpl">auth-scheme</a> = token |
---|
1415 | |
---|
1416 | <a href="#challenge.and.response" class="smpl">challenge</a> = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( |
---|
1417 | OWS "," [ OWS auth-param ] ) ] ) ] |
---|
1418 | <a href="#challenge.and.response" class="smpl">credentials</a> = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) |
---|
1419 | *( OWS "," [ OWS auth-param ] ) ] ) ] |
---|
1420 | |
---|
1421 | <a href="#imported.abnf" class="smpl">quoted-string</a> = <quoted-string, see [RFC7230], Section 3.2.6> |
---|
1422 | |
---|
1423 | <a href="#imported.abnf" class="smpl">token</a> = <token, see [RFC7230], Section 3.2.6> |
---|
1424 | <a href="#challenge.and.response" class="smpl">token68</a> = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) |
---|
1425 | *"=" |
---|
1426 | </pre></div> |
---|
1427 | </div> |
---|
1428 | <h2 id="rfc.index"><a href="#rfc.index">Index</a></h2> |
---|
1429 | <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.O">O</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.W">W</a> |
---|
1430 | </p> |
---|
1431 | <div class="print2col"> |
---|
1432 | <ul class="ind"> |
---|
1433 | <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul> |
---|
1434 | <li>401 Unauthorized (status code) <a href="#rfc.section.3.1"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li> |
---|
1435 | <li>407 Proxy Authentication Required (status code) <a href="#rfc.section.3.2"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li> |
---|
1436 | </ul> |
---|
1437 | </li> |
---|
1438 | <li><a id="rfc.index.A" href="#rfc.index.A"><b>A</b></a><ul> |
---|
1439 | <li>Authorization header field <a href="#rfc.xref.header.authorization.1">3.1</a>, <a href="#rfc.section.4.2"><b>4.2</b></a>, <a href="#rfc.xref.header.authorization.2">5.3</a></li> |
---|
1440 | </ul> |
---|
1441 | </li> |
---|
1442 | <li><a id="rfc.index.B" href="#rfc.index.B"><b>B</b></a><ul> |
---|
1443 | <li><em>BCP90</em> <a href="#rfc.xref.BCP90.1">5.3</a>, <a href="#BCP90"><b>8.2</b></a></li> |
---|
1444 | </ul> |
---|
1445 | </li> |
---|
1446 | <li><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul> |
---|
1447 | <li>Canonical Root URI <a href="#rfc.section.2.2">2.2</a></li> |
---|
1448 | </ul> |
---|
1449 | </li> |
---|
1450 | <li><a id="rfc.index.G" href="#rfc.index.G"><b>G</b></a><ul> |
---|
1451 | <li><tt>Grammar</tt> |
---|
1452 | <ul> |
---|
1453 | <li><tt>auth-param</tt> <a href="#rfc.iref.g.2"><b>2.1</b></a></li> |
---|
1454 | <li><tt>auth-scheme</tt> <a href="#rfc.iref.g.1"><b>2.1</b></a></li> |
---|
1455 | <li><tt>Authorization</tt> <a href="#rfc.iref.g.7"><b>4.2</b></a></li> |
---|
1456 | <li><tt>challenge</tt> <a href="#rfc.iref.g.4"><b>2.1</b></a></li> |
---|
1457 | <li><tt>credentials</tt> <a href="#rfc.iref.g.5"><b>2.1</b></a></li> |
---|
1458 | <li><tt>Proxy-Authenticate</tt> <a href="#rfc.iref.g.8"><b>4.3</b></a></li> |
---|
1459 | <li><tt>Proxy-Authorization</tt> <a href="#rfc.iref.g.9"><b>4.4</b></a></li> |
---|
1460 | <li><tt>token68</tt> <a href="#rfc.iref.g.3"><b>2.1</b></a></li> |
---|
1461 | <li><tt>WWW-Authenticate</tt> <a href="#rfc.iref.g.6"><b>4.1</b></a></li> |
---|
1462 | </ul> |
---|
1463 | </li> |
---|
1464 | </ul> |
---|
1465 | </li> |
---|
1466 | <li><a id="rfc.index.O" href="#rfc.index.O"><b>O</b></a><ul> |
---|
1467 | <li><em>OWASP</em> <a href="#rfc.xref.OWASP.1">6</a>, <a href="#OWASP"><b>8.2</b></a></li> |
---|
1468 | </ul> |
---|
1469 | </li> |
---|
1470 | <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul> |
---|
1471 | <li>Protection Space <a href="#rfc.section.2.2">2.2</a></li> |
---|
1472 | <li>Proxy-Authenticate header field <a href="#rfc.xref.header.proxy-authenticate.1">3.2</a>, <a href="#rfc.section.4.3"><b>4.3</b></a>, <a href="#rfc.xref.header.proxy-authenticate.2">5.3</a></li> |
---|
1473 | <li>Proxy-Authorization header field <a href="#rfc.xref.header.proxy-authorization.1">3.2</a>, <a href="#rfc.section.4.4"><b>4.4</b></a>, <a href="#rfc.xref.header.proxy-authorization.2">5.3</a></li> |
---|
1474 | </ul> |
---|
1475 | </li> |
---|
1476 | <li><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul> |
---|
1477 | <li>Realm <a href="#rfc.section.2.2">2.2</a></li> |
---|
1478 | <li><em>RFC2119</em> <a href="#rfc.xref.RFC2119.1">1.1</a>, <a href="#RFC2119"><b>8.1</b></a></li> |
---|
1479 | <li><em>RFC2616</em> <a href="#rfc.xref.RFC2616.1">1</a>, <a href="#RFC2616"><b>8.2</b></a></li> |
---|
1480 | <li><em>RFC2617</em> <a href="#rfc.xref.RFC2617.1">1</a>, <a href="#rfc.xref.RFC2617.2">1</a>, <a href="#rfc.xref.RFC2617.3">7</a>, <a href="#rfc.xref.RFC2617.4">7</a>, <a href="#RFC2617"><b>8.2</b></a><ul> |
---|
1481 | <li><em>Section 6</em> <a href="#rfc.xref.RFC2617.4">7</a></li> |
---|
1482 | </ul> |
---|
1483 | </li> |
---|
1484 | <li><em>RFC3986</em> <a href="#rfc.xref.RFC3986.1">2.1</a>, <a href="#RFC3986"><b>8.2</b></a></li> |
---|
1485 | <li><em>RFC4648</em> <a href="#rfc.xref.RFC4648.1">2.1</a>, <a href="#RFC4648"><b>8.2</b></a></li> |
---|
1486 | <li><em>RFC5226</em> <a href="#rfc.xref.RFC5226.1">5.1.1</a>, <a href="#RFC5226"><b>8.2</b></a><ul> |
---|
1487 | <li><em>Section 4.1</em> <a href="#rfc.xref.RFC5226.1">5.1.1</a></li> |
---|
1488 | </ul> |
---|
1489 | </li> |
---|
1490 | <li><em>RFC5234</em> <a href="#rfc.xref.RFC5234.1">1.2</a>, <a href="#RFC5234"><b>8.1</b></a>, <a href="#rfc.xref.RFC5234.2">B</a><ul> |
---|
1491 | <li><em>Appendix B.1</em> <a href="#rfc.xref.RFC5234.2">B</a></li> |
---|
1492 | </ul> |
---|
1493 | </li> |
---|
1494 | <li><em>RFC5246</em> <a href="#rfc.xref.RFC5246.1">6.1</a>, <a href="#RFC5246"><b>8.2</b></a></li> |
---|
1495 | <li><em>RFC7230</em> <a href="#rfc.xref.RFC7230.1">1</a>, <a href="#rfc.xref.RFC7230.2">1.1</a>, <a href="#rfc.xref.RFC7230.3">1.2</a>, <a href="#rfc.xref.RFC7230.4">2.2</a>, <a href="#rfc.xref.RFC7230.5">4.3</a>, <a href="#rfc.xref.RFC7230.6">5.1.2</a>, <a href="#rfc.xref.RFC7230.7">6</a>, <a href="#rfc.xref.RFC7230.8">7</a>, <a href="#RFC7230"><b>8.1</b></a>, <a href="#rfc.xref.RFC7230.9">B</a>, <a href="#rfc.xref.RFC7230.10">B</a>, <a href="#rfc.xref.RFC7230.11">B</a>, <a href="#rfc.xref.RFC7230.12">B</a>, <a href="#rfc.xref.RFC7230.13">B</a>, <a href="#rfc.xref.RFC7230.14">C</a><ul> |
---|
1496 | <li><em>Section 1.2</em> <a href="#rfc.xref.RFC7230.14">C</a></li> |
---|
1497 | <li><em>Section 2.3</em> <a href="#rfc.xref.RFC7230.6">5.1.2</a></li> |
---|
1498 | <li><em>Section 2.5</em> <a href="#rfc.xref.RFC7230.2">1.1</a></li> |
---|
1499 | <li><em>Section 3.2.3</em> <a href="#rfc.xref.RFC7230.10">B</a>, <a href="#rfc.xref.RFC7230.11">B</a></li> |
---|
1500 | <li><em>Section 3.2.6</em> <a href="#rfc.xref.RFC7230.12">B</a>, <a href="#rfc.xref.RFC7230.13">B</a></li> |
---|
1501 | <li><em>Section 5.5</em> <a href="#rfc.xref.RFC7230.4">2.2</a>, <a href="#rfc.xref.RFC7230.5">4.3</a></li> |
---|
1502 | <li><em>Section 7</em> <a href="#rfc.xref.RFC7230.3">1.2</a></li> |
---|
1503 | <li><em>Section 10</em> <a href="#rfc.xref.RFC7230.8">7</a></li> |
---|
1504 | </ul> |
---|
1505 | </li> |
---|
1506 | <li><em>RFC7231</em> <a href="#rfc.xref.RFC7231.1">2.1</a>, <a href="#rfc.xref.RFC7231.2">6</a>, <a href="#RFC7231"><b>8.1</b></a><ul> |
---|
1507 | <li><em>Section 6.5.3</em> <a href="#rfc.xref.RFC7231.1">2.1</a></li> |
---|
1508 | </ul> |
---|
1509 | </li> |
---|
1510 | <li><em>RFC7234</em> <a href="#rfc.xref.RFC7234.1">4.2</a>, <a href="#rfc.xref.RFC7234.2">5.1.2</a>, <a href="#rfc.xref.RFC7234.3">5.1.2</a>, <a href="#RFC7234"><b>8.1</b></a><ul> |
---|
1511 | <li><em>Section 3.2</em> <a href="#rfc.xref.RFC7234.1">4.2</a></li> |
---|
1512 | <li><em>Section 5.2.1.5</em> <a href="#rfc.xref.RFC7234.3">5.1.2</a></li> |
---|
1513 | <li><em>Section 5.2.2.6</em> <a href="#rfc.xref.RFC7234.2">5.1.2</a></li> |
---|
1514 | </ul> |
---|
1515 | </li> |
---|
1516 | </ul> |
---|
1517 | </li> |
---|
1518 | <li><a id="rfc.index.W" href="#rfc.index.W"><b>W</b></a><ul> |
---|
1519 | <li>WWW-Authenticate header field <a href="#rfc.xref.header.www-authenticate.1">3.1</a>, <a href="#rfc.section.4.1"><b>4.1</b></a>, <a href="#rfc.xref.header.www-authenticate.2">4.3</a>, <a href="#rfc.xref.header.www-authenticate.3">5.3</a></li> |
---|
1520 | </ul> |
---|
1521 | </li> |
---|
1522 | </ul> |
---|
1523 | </div> |
---|
1524 | <div class="avoidbreakinside"> |
---|
1525 | <h2 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h2> |
---|
1526 | <p><b>Roy T. Fielding</b> |
---|
1527 | (editor) |
---|
1528 | <br>Adobe Systems Incorporated<br>345 Park Ave<br>San Jose, CA 95110<br>USA<br>Email: fielding@gbiv.com<br>URI: <a href="http://roy.gbiv.com/">http://roy.gbiv.com/</a></p> |
---|
1529 | <p><b>Julian F. Reschke</b> |
---|
1530 | (editor) |
---|
1531 | <br>greenbytes GmbH<br>Hafenweg 16<br>Muenster, NW 48155<br>Germany<br>Email: julian.reschke@greenbytes.de<br>URI: <a href="http://greenbytes.de/tech/webdav/">http://greenbytes.de/tech/webdav/</a></p> |
---|
1532 | </div> |
---|
1533 | </body> |
---|
1534 | </html> |
---|