HTTP Authentication Extensions for Interactive Clients

The Internet-Draft

Previous versions are available as draft-oiwa-http-auth-extension


  • Fill gaps between current HTTP authentication framework and Web application needs
    • Concurrent support for guest (unauthenticated) users on the same page as for authenticated users (optional authentication)
    • Log-out
    • Session timeout
    • Customized pages for log-in/log-out interface (incl. announcements, warnings or advertisement)
    • etc.
  • Easily-understandable API used from Web applications
    • Optional authentication: configure it to Web server and it's all OK
    • Others: just set an Authentication-Control: HTTP header and it's all
      • Easy deployment: the header can be configured statically
        • no CGIs required on common cases
        • carefully designed so that these headers will be ignored whenever not applicable or meaningful
  • Not harmful for non-Web applications, too: base authn. semantics is not changed, so just ignore the header is enough

Use cases

See the Section 5 of the draft for information on how to use this extension.


Reference implementations for Mutual authentication, available on project homepage, implements these extensions, too.

Last modified 10 years ago Last modified on 05/06/12 05:21:27