spec/rfc7235.txt at main · anil.recoil.org/httpzo

An OCaml webserver, but the allocating version (vs httpz which doesnt)
httpzo / spec / rfc7235.txt
at main 1067 lines 38 kB view raw
wrap content
   1
   2
   3
   4
   5
   6
   7Internet Engineering Task Force (IETF)                  R. Fielding, Ed.
   8Request for Comments: 7235                                         Adobe
   9Obsoletes: 2616                                          J. Reschke, Ed.
  10Updates: 2617                                                 greenbytes
  11Category: Standards Track                                      June 2014
  12ISSN: 2070-1721
  13
  14
  15         Hypertext Transfer Protocol (HTTP/1.1): Authentication
  16
  17Abstract
  18
  19   The Hypertext Transfer Protocol (HTTP) is a stateless application-
  20   level protocol for distributed, collaborative, hypermedia information
  21   systems.  This document defines the HTTP Authentication framework.
  22
  23Status of This Memo
  24
  25   This is an Internet Standards Track document.
  26
  27   This document is a product of the Internet Engineering Task Force
  28   (IETF).  It represents the consensus of the IETF community.  It has
  29   received public review and has been approved for publication by the
  30   Internet Engineering Steering Group (IESG).  Further information on
  31   Internet Standards is available in Section 2 of RFC 5741.
  32
  33   Information about the current status of this document, any errata,
  34   and how to provide feedback on it may be obtained at
  35   http://www.rfc-editor.org/info/rfc7235.
  36
  37Copyright Notice
  38
  39   Copyright (c) 2014 IETF Trust and the persons identified as the
  40   document authors.  All rights reserved.
  41
  42   This document is subject to BCP 78 and the IETF Trust's Legal
  43   Provisions Relating to IETF Documents
  44   (http://trustee.ietf.org/license-info) in effect on the date of
  45   publication of this document.  Please review these documents
  46   carefully, as they describe your rights and restrictions with respect
  47   to this document.  Code Components extracted from this document must
  48   include Simplified BSD License text as described in Section 4.e of
  49   the Trust Legal Provisions and are provided without warranty as
  50   described in the Simplified BSD License.
  51
  52   This document may contain material from IETF Documents or IETF
  53   Contributions published or made publicly available before November
  54   10, 2008.  The person(s) controlling the copyright in some of this
  55
  56
  57
  58Fielding & Reschke           Standards Track                    [Page 1]
  59
  60RFC 7235                 HTTP/1.1 Authentication               June 2014
  61
  62
  63   material may not have granted the IETF Trust the right to allow
  64   modifications of such material outside the IETF Standards Process.
  65   Without obtaining an adequate license from the person(s) controlling
  66   the copyright in such materials, this document may not be modified
  67   outside the IETF Standards Process, and derivative works of it may
  68   not be created outside the IETF Standards Process, except to format
  69   it for publication as an RFC or to translate it into languages other
  70   than English.
  71
  72Table of Contents
  73
  74   1. Introduction ....................................................3
  75      1.1. Conformance and Error Handling .............................3
  76      1.2. Syntax Notation ............................................3
  77   2. Access Authentication Framework .................................3
  78      2.1. Challenge and Response .....................................3
  79      2.2. Protection Space (Realm) ...................................5
  80   3. Status Code Definitions .........................................6
  81      3.1. 401 Unauthorized ...........................................6
  82      3.2. 407 Proxy Authentication Required ..........................6
  83   4. Header Field Definitions ........................................7
  84      4.1. WWW-Authenticate ...........................................7
  85      4.2. Authorization ..............................................8
  86      4.3. Proxy-Authenticate .........................................8
  87      4.4. Proxy-Authorization ........................................9
  88   5. IANA Considerations .............................................9
  89      5.1. Authentication Scheme Registry .............................9
  90           5.1.1. Procedure ...........................................9
  91           5.1.2. Considerations for New Authentication Schemes ......10
  92      5.2. Status Code Registration ..................................11
  93      5.3. Header Field Registration .................................11
  94   6. Security Considerations ........................................12
  95      6.1. Confidentiality of Credentials ............................12
  96      6.2. Authentication Credentials and Idle Clients ...............12
  97      6.3. Protection Spaces .........................................13
  98   7. Acknowledgments ................................................14
  99   8. References .....................................................14
 100      8.1. Normative References ......................................14
 101      8.2. Informative References ....................................14
 102   Appendix A. Changes from RFCs 2616 and 2617 .......................16
 103   Appendix B. Imported ABNF .........................................16
 104   Appendix C. Collected ABNF ........................................17
 105   Index .............................................................18
 106
 107
 108
 109
 110
 111
 112
 113
 114Fielding & Reschke           Standards Track                    [Page 2]
 115
 116RFC 7235                 HTTP/1.1 Authentication               June 2014
 117
 118
 1191.  Introduction
 120
 121   HTTP provides a general framework for access control and
 122   authentication, via an extensible set of challenge-response
 123   authentication schemes, which can be used by a server to challenge a
 124   client request and by a client to provide authentication information.
 125   This document defines HTTP/1.1 authentication in terms of the
 126   architecture defined in "Hypertext Transfer Protocol (HTTP/1.1):
 127   Message Syntax and Routing" [RFC7230], including the general
 128   framework previously described in "HTTP Authentication: Basic and
 129   Digest Access Authentication" [RFC2617] and the related fields and
 130   status codes previously defined in "Hypertext Transfer Protocol --
 131   HTTP/1.1" [RFC2616].
 132
 133   The IANA Authentication Scheme Registry (Section 5.1) lists
 134   registered authentication schemes and their corresponding
 135   specifications, including the "basic" and "digest" authentication
 136   schemes previously defined by RFC 2617.
 137
 1381.1.  Conformance and Error Handling
 139
 140   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
 141   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
 142   document are to be interpreted as described in [RFC2119].
 143
 144   Conformance criteria and considerations regarding error handling are
 145   defined in Section 2.5 of [RFC7230].
 146
 1471.2.  Syntax Notation
 148
 149   This specification uses the Augmented Backus-Naur Form (ABNF)
 150   notation of [RFC5234] with a list extension, defined in Section 7 of
 151   [RFC7230], that allows for compact definition of comma-separated
 152   lists using a '#' operator (similar to how the '*' operator indicates
 153   repetition).  Appendix B describes rules imported from other
 154   documents.  Appendix C shows the collected grammar with all list
 155   operators expanded to standard ABNF notation.
 156
 1572.  Access Authentication Framework
 158
 1592.1.  Challenge and Response
 160
 161   HTTP provides a simple challenge-response authentication framework
 162   that can be used by a server to challenge a client request and by a
 163   client to provide authentication information.  It uses a case-
 164   insensitive token as a means to identify the authentication scheme,
 165   followed by additional information necessary for achieving
 166
 167
 168
 169
 170Fielding & Reschke           Standards Track                    [Page 3]
 171
 172RFC 7235                 HTTP/1.1 Authentication               June 2014
 173
 174
 175   authentication via that scheme.  The latter can be either a comma-
 176   separated list of parameters or a single sequence of characters
 177   capable of holding base64-encoded information.
 178
 179   Authentication parameters are name=value pairs, where the name token
 180   is matched case-insensitively, and each parameter name MUST only
 181   occur once per challenge.
 182
 183     auth-scheme    = token
 184
 185     auth-param     = token BWS "=" BWS ( token / quoted-string )
 186
 187     token68        = 1*( ALPHA / DIGIT /
 188                          "-" / "." / "_" / "~" / "+" / "/" ) *"="
 189
 190   The token68 syntax allows the 66 unreserved URI characters
 191   ([RFC3986]), plus a few others, so that it can hold a base64,
 192   base64url (URL and filename safe alphabet), base32, or base16 (hex)
 193   encoding, with or without padding, but excluding whitespace
 194   ([RFC4648]).
 195
 196   A 401 (Unauthorized) response message is used by an origin server to
 197   challenge the authorization of a user agent, including a
 198   WWW-Authenticate header field containing at least one challenge
 199   applicable to the requested resource.
 200
 201   A 407 (Proxy Authentication Required) response message is used by a
 202   proxy to challenge the authorization of a client, including a
 203   Proxy-Authenticate header field containing at least one challenge
 204   applicable to the proxy for the requested resource.
 205
 206     challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
 207
 208      Note: Many clients fail to parse a challenge that contains an
 209      unknown scheme.  A workaround for this problem is to list well-
 210      supported schemes (such as "basic") first.
 211
 212   A user agent that wishes to authenticate itself with an origin server
 213   -- usually, but not necessarily, after receiving a 401 (Unauthorized)
 214   -- can do so by including an Authorization header field with the
 215   request.
 216
 217   A client that wishes to authenticate itself with a proxy -- usually,
 218   but not necessarily, after receiving a 407 (Proxy Authentication
 219   Required) -- can do so by including a Proxy-Authorization header
 220   field with the request.
 221
 222
 223
 224
 225
 226Fielding & Reschke           Standards Track                    [Page 4]
 227
 228RFC 7235                 HTTP/1.1 Authentication               June 2014
 229
 230
 231   Both the Authorization field value and the Proxy-Authorization field
 232   value contain the client's credentials for the realm of the resource
 233   being requested, based upon a challenge received in a response
 234   (possibly at some point in the past).  When creating their values,
 235   the user agent ought to do so by selecting the challenge with what it
 236   considers to be the most secure auth-scheme that it understands,
 237   obtaining credentials from the user as appropriate.  Transmission of
 238   credentials within header field values implies significant security
 239   considerations regarding the confidentiality of the underlying
 240   connection, as described in Section 6.1.
 241
 242     credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
 243
 244   Upon receipt of a request for a protected resource that omits
 245   credentials, contains invalid credentials (e.g., a bad password) or
 246   partial credentials (e.g., when the authentication scheme requires
 247   more than one round trip), an origin server SHOULD send a 401
 248   (Unauthorized) response that contains a WWW-Authenticate header field
 249   with at least one (possibly new) challenge applicable to the
 250   requested resource.
 251
 252   Likewise, upon receipt of a request that omits proxy credentials or
 253   contains invalid or partial proxy credentials, a proxy that requires
 254   authentication SHOULD generate a 407 (Proxy Authentication Required)
 255   response that contains a Proxy-Authenticate header field with at
 256   least one (possibly new) challenge applicable to the proxy.
 257
 258   A server that receives valid credentials that are not adequate to
 259   gain access ought to respond with the 403 (Forbidden) status code
 260   (Section 6.5.3 of [RFC7231]).
 261
 262   HTTP does not restrict applications to this simple challenge-response
 263   framework for access authentication.  Additional mechanisms can be
 264   used, such as authentication at the transport level or via message
 265   encapsulation, and with additional header fields specifying
 266   authentication information.  However, such additional mechanisms are
 267   not defined by this specification.
 268
 2692.2.  Protection Space (Realm)
 270
 271   The "realm" authentication parameter is reserved for use by
 272   authentication schemes that wish to indicate a scope of protection.
 273
 274   A protection space is defined by the canonical root URI (the scheme
 275   and authority components of the effective request URI; see Section
 276   5.5 of [RFC7230]) of the server being accessed, in combination with
 277   the realm value if present.  These realms allow the protected
 278   resources on a server to be partitioned into a set of protection
 279
 280
 281
 282Fielding & Reschke           Standards Track                    [Page 5]
 283
 284RFC 7235                 HTTP/1.1 Authentication               June 2014
 285
 286
 287   spaces, each with its own authentication scheme and/or authorization
 288   database.  The realm value is a string, generally assigned by the
 289   origin server, that can have additional semantics specific to the
 290   authentication scheme.  Note that a response can have multiple
 291   challenges with the same auth-scheme but with different realms.
 292
 293   The protection space determines the domain over which credentials can
 294   be automatically applied.  If a prior request has been authorized,
 295   the user agent MAY reuse the same credentials for all other requests
 296   within that protection space for a period of time determined by the
 297   authentication scheme, parameters, and/or user preferences (such as a
 298   configurable inactivity timeout).  Unless specifically allowed by the
 299   authentication scheme, a single protection space cannot extend
 300   outside the scope of its server.
 301
 302   For historical reasons, a sender MUST only generate the quoted-string
 303   syntax.  Recipients might have to support both token and
 304   quoted-string syntax for maximum interoperability with existing
 305   clients that have been accepting both notations for a long time.
 306
 3073.  Status Code Definitions
 308
 3093.1.  401 Unauthorized
 310
 311   The 401 (Unauthorized) status code indicates that the request has not
 312   been applied because it lacks valid authentication credentials for
 313   the target resource.  The server generating a 401 response MUST send
 314   a WWW-Authenticate header field (Section 4.1) containing at least one
 315   challenge applicable to the target resource.
 316
 317   If the request included authentication credentials, then the 401
 318   response indicates that authorization has been refused for those
 319   credentials.  The user agent MAY repeat the request with a new or
 320   replaced Authorization header field (Section 4.2).  If the 401
 321   response contains the same challenge as the prior response, and the
 322   user agent has already attempted authentication at least once, then
 323   the user agent SHOULD present the enclosed representation to the
 324   user, since it usually contains relevant diagnostic information.
 325
 3263.2.  407 Proxy Authentication Required
 327
 328   The 407 (Proxy Authentication Required) status code is similar to 401
 329   (Unauthorized), but it indicates that the client needs to
 330   authenticate itself in order to use a proxy.  The proxy MUST send a
 331   Proxy-Authenticate header field (Section 4.3) containing a challenge
 332   applicable to that proxy for the target resource.  The client MAY
 333   repeat the request with a new or replaced Proxy-Authorization header
 334   field (Section 4.4).
 335
 336
 337
 338Fielding & Reschke           Standards Track                    [Page 6]
 339
 340RFC 7235                 HTTP/1.1 Authentication               June 2014
 341
 342
 3434.  Header Field Definitions
 344
 345   This section defines the syntax and semantics of header fields
 346   related to the HTTP authentication framework.
 347
 3484.1.  WWW-Authenticate
 349
 350   The "WWW-Authenticate" header field indicates the authentication
 351   scheme(s) and parameters applicable to the target resource.
 352
 353     WWW-Authenticate = 1#challenge
 354
 355   A server generating a 401 (Unauthorized) response MUST send a
 356   WWW-Authenticate header field containing at least one challenge.  A
 357   server MAY generate a WWW-Authenticate header field in other response
 358   messages to indicate that supplying credentials (or different
 359   credentials) might affect the response.
 360
 361   A proxy forwarding a response MUST NOT modify any WWW-Authenticate
 362   fields in that response.
 363
 364   User agents are advised to take special care in parsing the field
 365   value, as it might contain more than one challenge, and each
 366   challenge can contain a comma-separated list of authentication
 367   parameters.  Furthermore, the header field itself can occur multiple
 368   times.
 369
 370   For instance:
 371
 372     WWW-Authenticate: Newauth realm="apps", type=1,
 373                       title="Login to \"apps\"", Basic realm="simple"
 374
 375   This header field contains two challenges; one for the "Newauth"
 376   scheme with a realm value of "apps", and two additional parameters
 377   "type" and "title", and another one for the "Basic" scheme with a
 378   realm value of "simple".
 379
 380      Note: The challenge grammar production uses the list syntax as
 381      well.  Therefore, a sequence of comma, whitespace, and comma can
 382      be considered either as applying to the preceding challenge, or to
 383      be an empty entry in the list of challenges.  In practice, this
 384      ambiguity does not affect the semantics of the header field value
 385      and thus is harmless.
 386
 387
 388
 389
 390
 391
 392
 393
 394Fielding & Reschke           Standards Track                    [Page 7]
 395
 396RFC 7235                 HTTP/1.1 Authentication               June 2014
 397
 398
 3994.2.  Authorization
 400
 401   The "Authorization" header field allows a user agent to authenticate
 402   itself with an origin server -- usually, but not necessarily, after
 403   receiving a 401 (Unauthorized) response.  Its value consists of
 404   credentials containing the authentication information of the user
 405   agent for the realm of the resource being requested.
 406
 407     Authorization = credentials
 408
 409   If a request is authenticated and a realm specified, the same
 410   credentials are presumed to be valid for all other requests within
 411   this realm (assuming that the authentication scheme itself does not
 412   require otherwise, such as credentials that vary according to a
 413   challenge value or using synchronized clocks).
 414
 415   A proxy forwarding a request MUST NOT modify any Authorization fields
 416   in that request.  See Section 3.2 of [RFC7234] for details of and
 417   requirements pertaining to handling of the Authorization field by
 418   HTTP caches.
 419
 4204.3.  Proxy-Authenticate
 421
 422   The "Proxy-Authenticate" header field consists of at least one
 423   challenge that indicates the authentication scheme(s) and parameters
 424   applicable to the proxy for this effective request URI (Section 5.5
 425   of [RFC7230]).  A proxy MUST send at least one Proxy-Authenticate
 426   header field in each 407 (Proxy Authentication Required) response
 427   that it generates.
 428
 429     Proxy-Authenticate = 1#challenge
 430
 431   Unlike WWW-Authenticate, the Proxy-Authenticate header field applies
 432   only to the next outbound client on the response chain.  This is
 433   because only the client that chose a given proxy is likely to have
 434   the credentials necessary for authentication.  However, when multiple
 435   proxies are used within the same administrative domain, such as
 436   office and regional caching proxies within a large corporate network,
 437   it is common for credentials to be generated by the user agent and
 438   passed through the hierarchy until consumed.  Hence, in such a
 439   configuration, it will appear as if Proxy-Authenticate is being
 440   forwarded because each proxy will send the same challenge set.
 441
 442   Note that the parsing considerations for WWW-Authenticate apply to
 443   this header field as well; see Section 4.1 for details.
 444
 445
 446
 447
 448
 449
 450Fielding & Reschke           Standards Track                    [Page 8]
 451
 452RFC 7235                 HTTP/1.1 Authentication               June 2014
 453
 454
 4554.4.  Proxy-Authorization
 456
 457   The "Proxy-Authorization" header field allows the client to identify
 458   itself (or its user) to a proxy that requires authentication.  Its
 459   value consists of credentials containing the authentication
 460   information of the client for the proxy and/or realm of the resource
 461   being requested.
 462
 463     Proxy-Authorization = credentials
 464
 465   Unlike Authorization, the Proxy-Authorization header field applies
 466   only to the next inbound proxy that demanded authentication using the
 467   Proxy-Authenticate field.  When multiple proxies are used in a chain,
 468   the Proxy-Authorization header field is consumed by the first inbound
 469   proxy that was expecting to receive credentials.  A proxy MAY relay
 470   the credentials from the client request to the next proxy if that is
 471   the mechanism by which the proxies cooperatively authenticate a given
 472   request.
 473
 4745.  IANA Considerations
 475
 4765.1.  Authentication Scheme Registry
 477
 478   The "Hypertext Transfer Protocol (HTTP) Authentication Scheme
 479   Registry" defines the namespace for the authentication schemes in
 480   challenges and credentials.  It has been created and is now
 481   maintained at <http://www.iana.org/assignments/http-authschemes>.
 482
 4835.1.1.  Procedure
 484
 485   Registrations MUST include the following fields:
 486
 487   o  Authentication Scheme Name
 488
 489   o  Pointer to specification text
 490
 491   o  Notes (optional)
 492
 493   Values to be added to this namespace require IETF Review (see
 494   [RFC5226], Section 4.1).
 495
 496
 497
 498
 499
 500
 501
 502
 503
 504
 505
 506Fielding & Reschke           Standards Track                    [Page 9]
 507
 508RFC 7235                 HTTP/1.1 Authentication               June 2014
 509
 510
 5115.1.2.  Considerations for New Authentication Schemes
 512
 513   There are certain aspects of the HTTP Authentication Framework that
 514   put constraints on how new authentication schemes can work:
 515
 516   o  HTTP authentication is presumed to be stateless: all of the
 517      information necessary to authenticate a request MUST be provided
 518      in the request, rather than be dependent on the server remembering
 519      prior requests.  Authentication based on, or bound to, the
 520      underlying connection is outside the scope of this specification
 521      and inherently flawed unless steps are taken to ensure that the
 522      connection cannot be used by any party other than the
 523      authenticated user (see Section 2.3 of [RFC7230]).
 524
 525   o  The authentication parameter "realm" is reserved for defining
 526      protection spaces as described in Section 2.2.  New schemes MUST
 527      NOT use it in a way incompatible with that definition.
 528
 529   o  The "token68" notation was introduced for compatibility with
 530      existing authentication schemes and can only be used once per
 531      challenge or credential.  Thus, new schemes ought to use the
 532      auth-param syntax instead, because otherwise future extensions
 533      will be impossible.
 534
 535   o  The parsing of challenges and credentials is defined by this
 536      specification and cannot be modified by new authentication
 537      schemes.  When the auth-param syntax is used, all parameters ought
 538      to support both token and quoted-string syntax, and syntactical
 539      constraints ought to be defined on the field value after parsing
 540      (i.e., quoted-string processing).  This is necessary so that
 541      recipients can use a generic parser that applies to all
 542      authentication schemes.
 543
 544      Note: The fact that the value syntax for the "realm" parameter is
 545      restricted to quoted-string was a bad design choice not to be
 546      repeated for new parameters.
 547
 548   o  Definitions of new schemes ought to define the treatment of
 549      unknown extension parameters.  In general, a "must-ignore" rule is
 550      preferable to a "must-understand" rule, because otherwise it will
 551      be hard to introduce new parameters in the presence of legacy
 552      recipients.  Furthermore, it's good to describe the policy for
 553      defining new parameters (such as "update the specification" or
 554      "use this registry").
 555
 556   o  Authentication schemes need to document whether they are usable in
 557      origin-server authentication (i.e., using WWW-Authenticate),
 558      and/or proxy authentication (i.e., using Proxy-Authenticate).
 559
 560
 561
 562Fielding & Reschke           Standards Track                   [Page 10]
 563
 564RFC 7235                 HTTP/1.1 Authentication               June 2014
 565
 566
 567   o  The credentials carried in an Authorization header field are
 568      specific to the user agent and, therefore, have the same effect on
 569      HTTP caches as the "private" Cache-Control response directive
 570      (Section 5.2.2.6 of [RFC7234]), within the scope of the request in
 571      which they appear.
 572
 573      Therefore, new authentication schemes that choose not to carry
 574      credentials in the Authorization header field (e.g., using a newly
 575      defined header field) will need to explicitly disallow caching, by
 576      mandating the use of either Cache-Control request directives
 577      (e.g., "no-store", Section 5.2.1.5 of [RFC7234]) or response
 578      directives (e.g., "private").
 579
 5805.2.  Status Code Registration
 581
 582   The "Hypertext Transfer Protocol (HTTP) Status Code Registry" located
 583   at <http://www.iana.org/assignments/http-status-codes> has been
 584   updated with the registrations below:
 585
 586   +-------+-------------------------------+-------------+
 587   | Value | Description                   | Reference   |
 588   +-------+-------------------------------+-------------+
 589   | 401   | Unauthorized                  | Section 3.1 |
 590   | 407   | Proxy Authentication Required | Section 3.2 |
 591   +-------+-------------------------------+-------------+
 592
 5935.3.  Header Field Registration
 594
 595   HTTP header fields are registered within the "Message Headers"
 596   registry maintained at
 597   <http://www.iana.org/assignments/message-headers/>.
 598
 599   This document defines the following HTTP header fields, so the
 600   "Permanent Message Header Field Names" registry has been updated
 601   accordingly (see [BCP90]).
 602
 603   +---------------------+----------+----------+-------------+
 604   | Header Field Name   | Protocol | Status   | Reference   |
 605   +---------------------+----------+----------+-------------+
 606   | Authorization       | http     | standard | Section 4.2 |
 607   | Proxy-Authenticate  | http     | standard | Section 4.3 |
 608   | Proxy-Authorization | http     | standard | Section 4.4 |
 609   | WWW-Authenticate    | http     | standard | Section 4.1 |
 610   +---------------------+----------+----------+-------------+
 611
 612   The change controller is: "IETF (iesg@ietf.org) - Internet
 613   Engineering Task Force".
 614
 615
 616
 617
 618Fielding & Reschke           Standards Track                   [Page 11]
 619
 620RFC 7235                 HTTP/1.1 Authentication               June 2014
 621
 622
 6236.  Security Considerations
 624
 625   This section is meant to inform developers, information providers,
 626   and users of known security concerns specific to HTTP authentication.
 627   More general security considerations are addressed in HTTP messaging
 628   [RFC7230] and semantics [RFC7231].
 629
 630   Everything about the topic of HTTP authentication is a security
 631   consideration, so the list of considerations below is not exhaustive.
 632   Furthermore, it is limited to security considerations regarding the
 633   authentication framework, in general, rather than discussing all of
 634   the potential considerations for specific authentication schemes
 635   (which ought to be documented in the specifications that define those
 636   schemes).  Various organizations maintain topical information and
 637   links to current research on Web application security (e.g.,
 638   [OWASP]), including common pitfalls for implementing and using the
 639   authentication schemes found in practice.
 640
 6416.1.  Confidentiality of Credentials
 642
 643   The HTTP authentication framework does not define a single mechanism
 644   for maintaining the confidentiality of credentials; instead, each
 645   authentication scheme defines how the credentials are encoded prior
 646   to transmission.  While this provides flexibility for the development
 647   of future authentication schemes, it is inadequate for the protection
 648   of existing schemes that provide no confidentiality on their own, or
 649   that do not sufficiently protect against replay attacks.
 650   Furthermore, if the server expects credentials that are specific to
 651   each individual user, the exchange of those credentials will have the
 652   effect of identifying that user even if the content within
 653   credentials remains confidential.
 654
 655   HTTP depends on the security properties of the underlying transport-
 656   or session-level connection to provide confidential transmission of
 657   header fields.  In other words, if a server limits access to
 658   authenticated users using this framework, the server needs to ensure
 659   that the connection is properly secured in accordance with the nature
 660   of the authentication scheme used.  For example, services that depend
 661   on individual user authentication often require a connection to be
 662   secured with TLS ("Transport Layer Security", [RFC5246]) prior to
 663   exchanging any credentials.
 664
 6656.2.  Authentication Credentials and Idle Clients
 666
 667   Existing HTTP clients and user agents typically retain authentication
 668   information indefinitely.  HTTP does not provide a mechanism for the
 669   origin server to direct clients to discard these cached credentials,
 670   since the protocol has no awareness of how credentials are obtained
 671
 672
 673
 674Fielding & Reschke           Standards Track                   [Page 12]
 675
 676RFC 7235                 HTTP/1.1 Authentication               June 2014
 677
 678
 679   or managed by the user agent.  The mechanisms for expiring or
 680   revoking credentials can be specified as part of an authentication
 681   scheme definition.
 682
 683   Circumstances under which credential caching can interfere with the
 684   application's security model include but are not limited to:
 685
 686   o  Clients that have been idle for an extended period, following
 687      which the server might wish to cause the client to re-prompt the
 688      user for credentials.
 689
 690   o  Applications that include a session termination indication (such
 691      as a "logout" or "commit" button on a page) after which the server
 692      side of the application "knows" that there is no further reason
 693      for the client to retain the credentials.
 694
 695   User agents that cache credentials are encouraged to provide a
 696   readily accessible mechanism for discarding cached credentials under
 697   user control.
 698
 6996.3.  Protection Spaces
 700
 701   Authentication schemes that solely rely on the "realm" mechanism for
 702   establishing a protection space will expose credentials to all
 703   resources on an origin server.  Clients that have successfully made
 704   authenticated requests with a resource can use the same
 705   authentication credentials for other resources on the same origin
 706   server.  This makes it possible for a different resource to harvest
 707   authentication credentials for other resources.
 708
 709   This is of particular concern when an origin server hosts resources
 710   for multiple parties under the same canonical root URI (Section 2.2).
 711   Possible mitigation strategies include restricting direct access to
 712   authentication credentials (i.e., not making the content of the
 713   Authorization request header field available), and separating
 714   protection spaces by using a different host name (or port number) for
 715   each party.
 716
 717
 718
 719
 720
 721
 722
 723
 724
 725
 726
 727
 728
 729
 730Fielding & Reschke           Standards Track                   [Page 13]
 731
 732RFC 7235                 HTTP/1.1 Authentication               June 2014
 733
 734
 7357.  Acknowledgments
 736
 737   This specification takes over the definition of the HTTP
 738   Authentication Framework, previously defined in RFC 2617.  We thank
 739   John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D.
 740   Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for
 741   their work on that specification.  See Section 6 of [RFC2617] for
 742   further acknowledgements.
 743
 744   See Section 10 of [RFC7230] for the Acknowledgments related to this
 745   document revision.
 746
 7478.  References
 748
 7498.1.  Normative References
 750
 751   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
 752              Requirement Levels", BCP 14, RFC 2119, March 1997.
 753
 754   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
 755              Specifications: ABNF", STD 68, RFC 5234, January 2008.
 756
 757   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
 758              Protocol (HTTP/1.1): Message Syntax and Routing",
 759              RFC 7230, June 2014.
 760
 761   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
 762              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
 763              June 2014.
 764
 765   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
 766              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
 767              RFC 7234, June 2014.
 768
 7698.2.  Informative References
 770
 771   [BCP90]    Klyne, G., Nottingham, M., and J. Mogul, "Registration
 772              Procedures for Message Header Fields", BCP 90, RFC 3864,
 773              September 2004.
 774
 775   [OWASP]    van der Stock, A., Ed., "A Guide to Building Secure Web
 776              Applications and Web Services", The Open Web Application
 777              Security Project (OWASP) 2.0.1, July 2005,
 778              <https://www.owasp.org/>.
 779
 780   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
 781              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
 782              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
 783
 784
 785
 786Fielding & Reschke           Standards Track                   [Page 14]
 787
 788RFC 7235                 HTTP/1.1 Authentication               June 2014
 789
 790
 791   [RFC2617]  Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
 792              Leach, P., Luotonen, A., and L. Stewart, "HTTP
 793              Authentication: Basic and Digest Access Authentication",
 794              RFC 2617, June 1999.
 795
 796   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
 797              Resource Identifier (URI): Generic Syntax", STD 66,
 798              RFC 3986, January 2005.
 799
 800   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
 801              Encodings", RFC 4648, October 2006.
 802
 803   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
 804              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
 805              May 2008.
 806
 807   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
 808              (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 809
 810
 811
 812
 813
 814
 815
 816
 817
 818
 819
 820
 821
 822
 823
 824
 825
 826
 827
 828
 829
 830
 831
 832
 833
 834
 835
 836
 837
 838
 839
 840
 841
 842Fielding & Reschke           Standards Track                   [Page 15]
 843
 844RFC 7235                 HTTP/1.1 Authentication               June 2014
 845
 846
 847Appendix A.  Changes from RFCs 2616 and 2617
 848
 849   The framework for HTTP Authentication is now defined by this
 850   document, rather than RFC 2617.
 851
 852   The "realm" parameter is no longer always required on challenges;
 853   consequently, the ABNF allows challenges without any auth parameters.
 854   (Section 2)
 855
 856   The "token68" alternative to auth-param lists has been added for
 857   consistency with legacy authentication schemes such as "Basic".
 858   (Section 2)
 859
 860   This specification introduces the Authentication Scheme Registry,
 861   along with considerations for new authentication schemes.
 862   (Section 5.1)
 863
 864Appendix B.  Imported ABNF
 865
 866   The following core rules are included by reference, as defined in
 867   Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return),
 868   CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double
 869   quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any
 870   8-bit sequence of data), SP (space), and VCHAR (any visible US-ASCII
 871   character).
 872
 873   The rules below are defined in [RFC7230]:
 874
 875     BWS           = <BWS, see [RFC7230], Section 3.2.3>
 876     OWS           = <OWS, see [RFC7230], Section 3.2.3>
 877     quoted-string = <quoted-string, see [RFC7230], Section 3.2.6>
 878     token         = <token, see [RFC7230], Section 3.2.6>
 879
 880
 881
 882
 883
 884
 885
 886
 887
 888
 889
 890
 891
 892
 893
 894
 895
 896
 897
 898Fielding & Reschke           Standards Track                   [Page 16]
 899
 900RFC 7235                 HTTP/1.1 Authentication               June 2014
 901
 902
 903Appendix C.  Collected ABNF
 904
 905   In the collected ABNF below, list rules are expanded as per Section
 906   1.2 of [RFC7230].
 907
 908   Authorization = credentials
 909
 910   BWS = <BWS, see [RFC7230], Section 3.2.3>
 911
 912   OWS = <OWS, see [RFC7230], Section 3.2.3>
 913
 914   Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS
 915    challenge ] )
 916   Proxy-Authorization = credentials
 917
 918   WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge
 919    ] )
 920
 921   auth-param = token BWS "=" BWS ( token / quoted-string )
 922   auth-scheme = token
 923
 924   challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *(
 925    OWS "," [ OWS auth-param ] ) ] ) ]
 926   credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param )
 927    *( OWS "," [ OWS auth-param ] ) ] ) ]
 928
 929   quoted-string = <quoted-string, see [RFC7230], Section 3.2.6>
 930
 931   token = <token, see [RFC7230], Section 3.2.6>
 932   token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" )
 933    *"="
 934
 935
 936
 937
 938
 939
 940
 941
 942
 943
 944
 945
 946
 947
 948
 949
 950
 951
 952
 953
 954Fielding & Reschke           Standards Track                   [Page 17]
 955
 956RFC 7235                 HTTP/1.1 Authentication               June 2014
 957
 958
 959Index
 960
 961   4
 962      401 Unauthorized (status code)  6
 963      407 Proxy Authentication Required (status code)  6
 964
 965   A
 966      Authorization header field  8
 967
 968   C
 969      Canonical Root URI  5
 970
 971   G
 972      Grammar
 973         auth-param  4
 974         auth-scheme  4
 975         Authorization  8
 976         challenge  4
 977         credentials  5
 978         Proxy-Authenticate  8
 979         Proxy-Authorization  9
 980         token68  4
 981         WWW-Authenticate  7
 982
 983   P
 984      Protection Space  5
 985      Proxy-Authenticate header field  8
 986      Proxy-Authorization header field  9
 987
 988   R
 989      Realm  5
 990
 991   W
 992      WWW-Authenticate header field  7
 993
 994
 995
 996
 997
 998
 999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010Fielding & Reschke           Standards Track                   [Page 18]
1011
1012RFC 7235                 HTTP/1.1 Authentication               June 2014
1013
1014
1015Authors' Addresses
1016
1017   Roy T. Fielding (editor)
1018   Adobe Systems Incorporated
1019   345 Park Ave
1020   San Jose, CA  95110
1021   USA
1022
1023   EMail: fielding@gbiv.com
1024   URI:   http://roy.gbiv.com/
1025
1026
1027   Julian F. Reschke (editor)
1028   greenbytes GmbH
1029   Hafenweg 16
1030   Muenster, NW  48155
1031   Germany
1032
1033   EMail: julian.reschke@greenbytes.de
1034   URI:   http://greenbytes.de/tech/webdav/
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066Fielding & Reschke           Standards Track                   [Page 19]
1067