W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

ISSUE PROXY-AUTHORIZATION: Proposal wording

From: Henrik Frystyk Nielsen <frystyk@w3.org>
Date: Thu, 17 Jul 1997 16:03:06 -0400
Message-Id: <3.0.3.32.19970717160306.00accd80@pop.w3.org>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Cc: Larry Masinter <masinter@parc.xerox.com>
	http://www.ics.uci.edu/pub/ietf/http/hypermail/1997q3/0040.html

This text is to completely replace the existing wording in chapter 11, and
to add a one-liner in section 13.5.1.

The remaining MUSTs could potentially be downgraded to SHOULDs as it would
not cause any interoperability problems, but I have left them as in the
original text.

**********

11 Access Authentication 

HTTP provides a simple challenge-response authentication mechanism which
MAY be used by a server to challenge a client request and by a client to
provide authentication information. It uses an extensible, case-insensitive
token to identify the authentication scheme, followed by a comma-separated
list of attribute-value pairs which carry the parameters necessary for
achieving authentication via that scheme.

       auth-scheme    = token
       auth-param     = token "=" quoted-string

The 401 (Unauthorized) response message is used by an origin server to
challenge the authorization of a user agent. This response MUST include a
WWW-Authenticate header field containing at least one challenge applicable
to the requested resource. The 407 (Proxy Authentication Required) response
message is used by a proxy to challenge the authorization of a client and
MUST include a Proxy-Authenticate header field containing a challenge
applicable to the proxy for the requested resource.

       challenge      = auth-scheme 1*SP realm *( "," auth-param )
       realm          = "realm" "=" realm-value
       realm-value    = quoted-string

The realm attribute (case-insensitive) is required for all authentication
schemes which issue a challenge. The realm value (case-sensitive), in
combination with the canonical root URL (see section 5.1.2) of the server
being accessed, defines the protection space. These realms allow the
protected resources on a server to be partitioned into a set of protection
spaces, each with its own authentication scheme and/or authorization
database. The realm value is a string, generally assigned by the origin
server, which may have additional semantics specific to the authentication
scheme.

A user agent that wishes to authenticate itself with an origin
server--usually, but not necessarily, after receiving a 401
(Unauthorized)--MAY do so by including an Authorization header field with
the request. A client that wishes to authenticate itself with a
proxy--usually, but not necessarily, after receiving a 407 (Proxy
Authentication Required)--MAY do so by including a Proxy-Authorization
header field with the request. Both the Authorization field value and the
Proxy-Authorization field value consists of credentials containing the
authentication information of the client for the realm of the resource
being requested.

       credentials    = basic-credentials
                      | auth-scheme #auth-param

The domain over which credentials can be automatically applied by a client
is determined by the protection space. If a prior request has been
authorized, the same credentials MAY be reused for all other requests
within that protection space for a period of time determined by the
authentication scheme, parameters, and/or user preference. Unless otherwise
defined by the authentication scheme, a single protection space cannot
extend outside the scope of its server.

If the origin server does not wish to accept the credentials sent with a
request, it SHOULD return a 401 (Unauthorized) response. The response MUST
include a WWW-Authenticate header field containing at least one (possibly
new) challenge applicable to the requested resource. If a proxy does not
accept the credentials sent with a request, it SHOULD return a 407 (Proxy
Authentication Required). The response MUST include a Proxy-Authenticate
header field containing a (possibly new) challenge applicable to the proxy
for the requested resource.

The HTTP protocol does not restrict applications to this simple
challenge-response mechanism for access authentication. Additional
mechanisms MAY be used, such as encryption at the transport level or via
message encapsulation, and with additional header fields specifying
authentication information. However, these additional mechanisms are not
defined by this specification.

The WWW-Authenticate and Authorization header fields are end-to-end headers
following the rules found in section 14.8 and 14.46. Both the
Proxy-Authenticate and the Proxy-Authorization header fields are hop-by-hop
headers (see section 13.5.1).

11.1 Basic Authentication Scheme 

The "basic" authentication scheme is based on the model that the client
must authenticate itself with a user-ID and a password for each realm. The
realm value should be considered an opaque string which can only be
compared for equality with other realms on that server. The server will
service the request only if it can validate the user-ID and password for
the protection space of the Request-URI. There are no optional
authentication parameters.

Upon receipt of an unauthorized request for a URI within the protection
space, the origin server may respond with a challenge like the following:

       WWW-Authenticate: Basic realm="WallyWorld"

where "WallyWorld" is the string assigned by the server to identify the
protection space of the Request-URI. A proxy may respond with the same
challenge using the Proxy-Authenticate header field.

To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 [7] encoded
string in the credentials.

       basic-credentials = "Basic" SP basic-cookie
       basic-cookie   = <base64 [7] encoding of user-pass,
                        except not limited to 76 char/line>
       user-pass   = userid ":" password
       userid      = *<TEXT excluding ":">
       password    = *TEXT

Userids might be case sensitive.

If the user agent wishes to send the userid "Aladdin" and password "open
sesame" to an origin server, it would use the following header field:

       Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

If a client wishes to send the same userid and password to a proxy, it
would use the Proxy-Authorization header field. See section 15 for security
considerations associated with Basic authentication.

11.2 Digest Authentication Scheme 

Note for the RFC editor: This section is reserved for including the Digest
Authentication specification, or if the RFC editor chooses to issue a
single RFC rather than two RFC's, this section should be deleted.

13.5.1 End-to-end and Hop-by-hop Headers

Change

   The following HTTP/1.1 headers are hop-by-hop headers:
       Connection
       Keep-Alive
       Public
       Proxy-Authenticate 
       Transfer-Encoding
       Upgrade

to

   The following HTTP/1.1 headers are hop-by-hop headers:
       Connection
       Keep-Alive
       Public
       Proxy-Authenticate 
       Proxy-Authorization
       Transfer-Encoding
       Upgrade

Thanks,

Henrik
Received on Thursday, 17 July 1997 14:24:52 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:48 EDT