Version 2 (modified by y.oiwa@…, 10 years ago) (diff)


HTTP Authentication Extensions for Interactive Clients

The Internet-Draft

Previous versions are available as draft-oiwa-http-auth-extension


  • Fill gaps between current HTTP authentication framework and Web application needs
    • Concurrent support for guest (unauthenticated) users on the same page as for authenticated users (optional authentication)
    • Log-out
    • Session timeout
    • Customized pages for log-in/log-out interface (incl. announcements, warnings or advertisement)
    • etc.
  • Easily-understandable API used from Web applications
    • Optional authentication: configure it to Web server and it's all OK
    • Others: just set an Authentication-Control: HTTP header and it's all
      • Easy deployment: the header can be configured statically
        • no CGIs required on common cases
        • carefully designed so that these headers will be ignored whenever not applicable or meaningful
  • Not harmful for non-Web applications, too: base authn. semantics is not changed, so just ignore the header is enough

Use cases

See the Section 5 of the draft for information on how to use this extension.


Reference implementations for Mutual authentication, available on project homepage, implements these extensions, too.