Version 17 (modified by nico@…, 10 years ago) (diff)


HTTP Authentication Proposals

This page tracks proposals for new HTTP authentication schemes.

To make a proposal, please submit an Internet-Draft whose name follows this convention:

draft-{your name}-httpbis-{proposal name}

Current Proposals


A proposal for authentication based on RESTful exchange of authentication messages, resulting a session URI that can be used to provide connection-independence and a good logout story. RESTfulness makes for good interaction with "HTTP routers". Simple mechanisms based on SSHv2, SASL, and GSS are described. HTML version.

draft-oiwa-httpbis-mutualauth: HTTP Mutual authentication

A secure HTTP authentication method providing user-server mutual authentication, strong secrecy on passwords, and others. Combined with auth-extension below to support Web application requirements (i.e. to replace Form authentication).

draft-oiwa-httpbis-auth-extension: HTTP authentication extensions for interactive clients

A simple but powerful generic framework extension to HTTP authentication, to enable use of HTTP authentication for recent Web applications.

draft-farrell-httpbis-hoba: HTTP Origin Bound Authentication (HOBA)

An even more simple, but not at all powerful mechanism based on OBC, to try end up with fewer passwords in the world.


A secure HTTP authentication method providing user-server mutual authentication, easier to implement than Digest in both clients and servers, etc. The mechanism is very close to SCRAM used in most other application protocols (e.g. IMAP/SMTP, XMPP)

Multilegged Authentication for HTTP Multiplexing

In line with the HTTP compatibility goal for HTTP 2.0, HTTP 2.0 must also be compatible with currently deployed authentication schemes. This draft addresses this goal in the presence of multiplexing (expected to be part of HTTP 2.0), while addressing some of the issues currently encountered when performing multilegged authentication.


A WITHRDRAWN (replaced with RESTauth) proposal for authentication based on SASL/GSS at the application network layer (but at the HTTP API layer). HTML version.

Input Documents


A proposal for classification and analysis of HTTPbis authentication proposals. HTML version.