Changeset 191
- Timestamp:
- 03/02/08 19:38:52 (13 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p7-auth.html
r189 r191 524 524 <p id="rfc.section.1.p.2">HTTP provides several <em class="bcp14">OPTIONAL</em> challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to 525 525 provide authentication information. The general framework for access authentication, and the specification of "basic" and 526 "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification. 527 </p> 528 <h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a> <a id="intro.requirements" href="#intro.requirements">Requirements</a></h2> 526 "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification: 527 </p> 528 <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span> challenge = <challenge, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>> 529 credentials = <credentials, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>> 530 </pre><h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a> <a id="intro.requirements" href="#intro.requirements">Requirements</a></h2> 529 531 <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" 530 532 in this document are to be interpreted as described in <a href="#RFC2119" id="rfc.xref.RFC2119.1"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>. … … 534 536 <h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a> Status Code Definitions 535 537 </h1> 536 <div id="rfc.iref. "></div>538 <div id="rfc.iref.2"></div> 537 539 <div id="rfc.iref.s.1"></div> 538 540 <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a> <a id="status.401" href="#status.401">401 Unauthorized</a></h2> … … 540 542 refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has 541 543 already attempted authentication at least once, then the user <em class="bcp14">SHOULD</em> be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP 542 access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.543 </p> 544 <div id="rfc.iref. 1"></div>544 access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. 545 </p> 546 <div id="rfc.iref.3"></div> 545 547 <div id="rfc.iref.s.2"></div> 546 548 <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a> <a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2> 547 549 <p id="rfc.section.2.2.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy. The 548 proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section 3.2</a>) containing a challenge applicable to the proxy for the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section 3.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.550 proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section 3.2</a>) containing a challenge applicable to the proxy for the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section 3.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. 549 551 </p> 550 552 <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a id="header.fields" href="#header.fields">Header Field Definitions</a></h1> … … 557 559 containing the authentication information of the user agent for the realm of the resource being requested. 558 560 </p> 559 <div id="rfc.figure.u. 1"></div><pre class="inline"><span id="rfc.iref.g.1"></span> Authorization = "Authorization" ":" credentials560 </pre><p id="rfc.section.3.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise,561 <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.3"></span> Authorization = "Authorization" ":" credentials 562 </pre><p id="rfc.section.3.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, 561 563 such as credentials that vary according to a challenge value or using synchronized clocks). 562 564 </p> … … 580 582 the authentication scheme and parameters applicable to the proxy for this Request-URI. 581 583 </p> 582 <div id="rfc.figure.u. 2"></div><pre class="inline"><span id="rfc.iref.g.2"></span> Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge583 </pre><p id="rfc.section.3.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting584 <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.4"></span> Proxy-Authenticate = "Proxy-Authenticate" ":" 1#challenge 585 </pre><p id="rfc.section.3.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting 584 586 them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate 585 587 header field. … … 592 594 user agent for the proxy and/or realm of the resource being requested. 593 595 </p> 594 <div id="rfc.figure.u. 3"></div><pre class="inline"><span id="rfc.iref.g.3"></span> Proxy-Authorization = "Proxy-Authorization" ":" credentials595 </pre><p id="rfc.section.3.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication596 <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.g.5"></span> Proxy-Authorization = "Proxy-Authorization" ":" credentials 597 </pre><p id="rfc.section.3.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.9"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication 596 598 using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed 597 599 by the first outbound proxy that was expecting to receive credentials. A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively … … 604 606 authentication scheme(s) and parameters applicable to the Request-URI. 605 607 </p> 606 <div id="rfc.figure.u. 4"></div><pre class="inline"><span id="rfc.iref.g.4"></span> WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge607 </pre><p id="rfc.section.3.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617. 8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one608 <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.6"></span> WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge 609 </pre><p id="rfc.section.3.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.10"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one 608 610 challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a 609 611 comma-separated list of authentication parameters. … … 700 702 <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a> Since draft-ietf-httpbis-p7-auth-01 701 703 </h2> 704 <p id="rfc.section.B.3.p.1">Ongoing work on ABNF conversion (<<a href="http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36">http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36</a>>): 705 </p> 706 <ul> 707 <li>Explicitly import BNF rules for "challenge" and "credentials" from RFC2617.</li> 708 </ul> 702 709 <h1><a id="rfc.copyright" href="#rfc.copyright">Full Copyright Statement</a></h1> 703 710 <p>Copyright © The IETF Trust (2008).</p> … … 733 740 <ul class="ind"> 734 741 <li class="indline0"><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul class="ind"> 735 <li class="indline1">401 Unauthorized (status code) <a class="iref" href="#rfc.iref. "><b>2.1</b></a></li>736 <li class="indline1">407 Proxy Authentication Required (status code) <a class="iref" href="#rfc.iref. 1"><b>2.2</b></a></li>742 <li class="indline1">401 Unauthorized (status code) <a class="iref" href="#rfc.iref.2"><b>2.1</b></a></li> 743 <li class="indline1">407 Proxy Authentication Required (status code) <a class="iref" href="#rfc.iref.3"><b>2.2</b></a></li> 737 744 </ul> 738 745 </li> … … 744 751 <li class="indline1"><tt>Grammar</tt> 745 752 <ul class="ind"> 746 <li class="indline1"><tt>Authorization</tt> <a class="iref" href="#rfc.iref.g.1"><b>3.1</b></a></li> 747 <li class="indline1"><tt>Proxy-Authenticate</tt> <a class="iref" href="#rfc.iref.g.2"><b>3.2</b></a></li> 748 <li class="indline1"><tt>Proxy-Authorization</tt> <a class="iref" href="#rfc.iref.g.3"><b>3.3</b></a></li> 749 <li class="indline1"><tt>WWW-Authenticate</tt> <a class="iref" href="#rfc.iref.g.4"><b>3.4</b></a></li> 753 <li class="indline1"><tt>Authorization</tt> <a class="iref" href="#rfc.iref.g.3"><b>3.1</b></a></li> 754 <li class="indline1"><tt>challenge</tt> <a class="iref" href="#rfc.iref.g.1"><b>1</b></a></li> 755 <li class="indline1"><tt>credentials</tt> <a class="iref" href="#rfc.iref.g.2"><b>1</b></a></li> 756 <li class="indline1"><tt>Proxy-Authenticate</tt> <a class="iref" href="#rfc.iref.g.4"><b>3.2</b></a></li> 757 <li class="indline1"><tt>Proxy-Authorization</tt> <a class="iref" href="#rfc.iref.g.5"><b>3.3</b></a></li> 758 <li class="indline1"><tt>WWW-Authenticate</tt> <a class="iref" href="#rfc.iref.g.6"><b>3.4</b></a></li> 750 759 </ul> 751 760 </li> … … 775 784 <li class="indline1"><em>RFC2119</em> <a class="iref" href="#rfc.xref.RFC2119.1">1.1</a>, <a class="iref" href="#RFC2119"><b>7.1</b></a></li> 776 785 <li class="indline1"><em>RFC2616</em> <a class="iref" href="#rfc.xref.RFC2616.1">1</a>, <a class="iref" href="#RFC2616"><b>7.2</b></a>, <a class="iref" href="#rfc.xref.RFC2616.2">B.1</a></li> 777 <li class="indline1"><em>RFC2617</em> <a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#rfc.xref.RFC2617.3">2.1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.5">3.1</a>, <a class="iref" href="#rfc.xref.RFC2617.6">3.2</a>, <a class="iref" href="#rfc.xref.RFC2617.7">3.3</a>, <a class="iref" href="#rfc.xref.RFC2617.8">3.4</a>, <a class="iref" href="#RFC2617"><b>7.1</b></a></li> 786 <li class="indline1"><em>RFC2617</em> <a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#rfc.xref.RFC2617.3">1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1</a>, <a class="iref" href="#rfc.xref.RFC2617.5">2.1</a>, <a class="iref" href="#rfc.xref.RFC2617.6">2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.7">3.1</a>, <a class="iref" href="#rfc.xref.RFC2617.8">3.2</a>, <a class="iref" href="#rfc.xref.RFC2617.9">3.3</a>, <a class="iref" href="#rfc.xref.RFC2617.10">3.4</a>, <a class="iref" href="#RFC2617"><b>7.1</b></a><ul class="ind"> 787 <li class="indline1"><em>Section 1.2</em> <a class="iref" href="#rfc.xref.RFC2617.3">1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1</a></li> 788 </ul> 789 </li> 778 790 </ul> 779 791 </li> -
draft-ietf-httpbis/latest/p7-auth.xml
r182 r191 218 218 Authentication: Basic and Digest Access Authentication" <xref target="RFC2617"/>. This 219 219 specification adopts the definitions of "challenge" and "credentials" 220 from that specification. 221 </t> 220 from that specification: 221 </t> 222 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="challenge"/><iref primary="true" item="Grammar" subitem="credentials"/> 223 challenge = <challenge, defined in <xref target="RFC2617" x:fmt="," x:sec="1.2"/>> 224 credentials = <credentials, defined in <xref target="RFC2617" x:fmt="," x:sec="1.2"/>> 225 </artwork></figure> 222 226 223 227 <section title="Requirements" anchor="intro.requirements"> … … 633 637 <section title="Since draft-ietf-httpbis-p7-auth-01"> 634 638 <t> 639 Ongoing work on ABNF conversion (<eref target="http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36"/>): 640 <list style="symbols"> 641 <t> 642 Explicitly import BNF rules for "challenge" and "credentials" from RFC2617. 643 </t> 644 </list> 635 645 </t> 636 646 </section>
Note: See TracChangeset
for help on using the changeset viewer.