HTTPAuth Working Group | J. Reschke |
Internet-Draft | greenbytes |
Obsoletes: 2617 (if approved) | October 27, 2014 |
Intended status: Standards Track | |
Expires: April 30, 2015 |
The 'Basic' HTTP Authentication Scheme
draft-ietf-httpauth-basicauth-update-02
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme, which transmits credentials as userid/password pairs, obfuscated by the use of Base64 encoding.
Discussion of this draft takes place on the HTTPAuth working group mailing list (http-auth@ietf.org), which is archived at http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html.
XML versions, latest edits and the issues list for this document are available from http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update.
The changes in this draft are summarized in Appendix C.2.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 30, 2015.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
This document defines the "Basic" Hypertext Transfer Protocol (HTTP) Authentication Scheme ([RFC7235]), which transmits credentials as userid/password pairs, obfuscated by the use of Base64 encoding.
This scheme is not considered to be a secure method of user authentication unless used in conjunction with some external secure system such as TLS (Transport Layer Security, [RFC5246]), as the user name and password are passed over the network as cleartext.
The "Basic" scheme previously was defined in Section 2 of [RFC2617]. This document updates the definition, and also addresses internationalization issues by introducing the "charset" authentication parameter (Section 2.1).
Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication" ([RFC7235], defining the authentication framework) and "HTTP Digest Access Authentication" ([DIGEST], updating the definition of the '"Digest" authentication scheme). Taken together, these three documents obsolete RFC 2617.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This specification uses the Augmented Backus-Naur Form (ABNF) notation of [RFC5234].
The terms protection space and realm are defined in Section 2.2 of [RFC7235].
The terms (character) repertoire and character encoding scheme are defined in Section 2 of [RFC6365].
The "Basic" authentication scheme is based on the model that the client needs to authenticate itself with a user-ID and a password for each protection space ("realm"). The realm value is an opaque string which can only be compared for equality with other realms on that server. The server will service the request only if it can validate the user-ID and password for the protection space applying to the requested resource.
The "Basic" authentication scheme utilizes the Authentication Framework as follows:
In challenges:
Note that both scheme and parameter names are matched case-insensitively.
For credentials, the "token-68" syntax defined in Section 2.2 of [RFC7235] is used. The value is computed based on user-id and password as defined below.
Upon receipt of a request for a URI within the protection space that lacks credentials, the server can reply with a challenge using the 401 (Unauthorized) status code ([RFC7235], Section 3.1) and the WWW-Authenticate header field ([RFC7235], Section 4.1).
For instance:
HTTP/1.1 401 Unauthorized Date: Mon, 04 Feb 2014 16:50:53 GMT WWW-Authenticate: Basic realm="WallyWorld"
...where "WallyWorld" is the string assigned by the server to identify the protection space.
A proxy can respond with a similar challenge using the 407 (Proxy Authentication Required) status code ([RFC7235], Section 3.2) and the Proxy-Authenticate header field ([RFC7235], Section 4.3).
To receive authorization, the client
The original definition of this authentication scheme failed to specify the character encoding scheme used to convert the user-pass into an octet sequence. In practice, most implementations chose either a local-specific encoding such as ISO-8859-1 ([ISO-8859-1]), or UTF-8 ([RFC3629]). For backwards compatibility reasons, this specification continues to leave the default encoding undefined, as long as it is compatible to US-ASCII (mapping any US-ASCII character to a single octet matching the US-ASCII character code).
Userid and password MUST NOT contain any control characters (see "CTL" in Appendix B.1 of [RFC5234]).
Furthermore, a userid containing a colon character is invalid, as recipients will split the user-pass at the first occurence of a colon character. Note that many user agents however will accept a colon in userid, thereby producing a user-pass string that recipients will likely treat in a way not intended by the user.
If the user agent wishes to send the userid "Aladdin" and password "open sesame", it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
In challenges, servers can use the "charset" authentication parameter to indicate the character encoding scheme they expect the user agent to use when generating "user-pass" (a sequence of octets). This information is purely advisory.
The only allowed value is "UTF-8", to be matched case-insensitively (see [RFC2978], Section 2.3). It indicates that the server expects character data to be converted to Unicode Normalization Form C ("NFC", see Section 3 of [RFC5198]) and to be encoded into octets using the UTF-8 character encoding scheme ([RFC3629]).
Other values are reserved for future use.
In the example below, the server prompts for authentication in the "foo" realm, using Basic authentication, with a preference for the UTF-8 character encoding scheme:
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
Note that the parameter value can be either a token or a quoted string; in this case the server chose to use the quoted-string notation.
The user's name is "test", and the password is the string "123" followed by the Unicode character U+00A3 (POUND SIGN). Using the character encoding scheme UTF-8, the user-pass becomes:
't' 'e' 's' 't' ':' '1' '2' '3' pound 74 65 73 74 3A 31 32 33 C2 A3
Encoding this octet sequence in Base64 ([RFC4648], Section 4) yields:
dGVzdDoxMjPCow==
Thus the Authorization header field would be:
Authorization: Basic dGVzdDoxMjPCow==
Or, for proxy authentication:
Proxy-Authorization: Basic dGVzdDoxMjPCow==
Given the absolute URI ([RFC3986], Section 4.3) of an authenticated request, the authentication scope of that request is obtained by removing all characters after the last slash ("/") character. A client SHOULD assume that resources identified by URIs with a prefix-match of the authentication scope are also within the protection space specified by the realm value of the that authenticated request.
A client MAY preemptively send the corresponding Authorization header field with requests for resources in that space without receipt of another challenge from the server. Similarly, when a client sends a request to a proxy, it may reuse a userid and password in the Proxy-Authorization header field without receiving another challenge from the proxy server.
For example, given an authenticated request to:
http://example.com/docs/index.html
...requests to the URIs below could use the known credentials:
http://example.com/docs/ http://example.com/docs/test.doc http://example.com/docs/?page=1
...while the URIs
http://example.com/other/ https://example.com/docs/
would be considered to be outside the authentication scope.
Note that a URI can be part of multiple authentication scopes (such as "http://example.com/" and "http://example.com/docs/"). This specification does not define which of these should be treated with higher priority.
User names or passwords containing characters outside the US-ASCII character repertoire will cause interoperability issues, unless both communication partners agree on what character encoding scheme is to be used. Senders can use the new 'charset' parameter (Section 2.1) to indicate a preference of "UTF-8", increasing the probability that clients will switch to that encoding.
The "realm" parameter carries data that can be considered textual, however [RFC7235] does not define a way to reliably transport non-US-ASCII characters. This is a known issue that would need to be addressed in that specification.
The Basic authentication scheme is not a secure method of user authentication, nor does it in any way protect the entity, which is transmitted in cleartext across the physical network used as the carrier. HTTP does not prevent the addition of enhancements (such as schemes to use one-time passwords) to Basic authentication.
The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network. Many other authentication schemes address this problem.
Because Basic authentication involves the cleartext transmission of passwords it SHOULD NOT be used (without enhancements) to protect sensitive or valuable information.
A common use of Basic authentication is for identification purposes — requiring the user to provide a user name and password as a means of identification, for example, for purposes of gathering accurate usage statistics on a server. When used in this way it is tempting to think that there is no danger in its use if illicit access to the protected documents is not a major concern. This is only correct if the server issues both user name and password to the users and in particular does not allow the user to choose his or her own password. The danger arises because naive users frequently reuse a single password to avoid the task of maintaining multiple passwords.
If a server permits users to select their own passwords, then the threat is not only unauthorized access to documents on the server but also unauthorized access to any other resources on other systems that the user protects with the same password. Furthermore, in the server's password database, many of the passwords may also be users' passwords for other sites. The owner or administrator of such a system could therefore expose all users of the system to the risk of unauthorized access to all those sites if this information is not maintained in a secure fashion. This raises both security and privacy concerns ([RFC6973]). If the same username and password combination is in use to access other accounts, such as an email or health portal account, personal information could be exposed.
Basic Authentication is also vulnerable to spoofing by counterfeit servers. If a user can be led to believe that he is connecting to a host containing information protected by Basic authentication when, in fact, he is connecting to a hostile server or gateway, then the attacker can request a password, store it for later use, and feign an error. This type of attack is not possible with Digest Authentication. Server implementers SHOULD guard against the possibility of this sort of counterfeiting by gateways or CGI scripts. In particular it is very dangerous for a server to simply turn over a connection to a gateway. That gateway can then use the persistent connection mechanism to engage in multiple transactions with the client while impersonating the original server in a way that is not detectable by the client.
The use of the UTF-8 character encoding scheme introduces additional security considerations; see Section 10 of [RFC3629] for more information.
IANA maintains the registry of HTTP Authentication Schemes ([RFC7235]) at http://www.iana.org/assignments/http-authschemes.
The entry for the "Basic" Authentication Scheme shall be updated with a pointer to this specification.
This specification takes over the definition of the "Basic" HTTP Authentication Scheme, previously defined in RFC 2617. We thank John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on that specification, from which significant amounts of text were borrowed. See Section 6 of [RFC2617] for further acknowledgements.
The internationalization problem with respect to the character encoding scheme used for user-pass has been reported as a Mozilla bug back in the year 2000 (see https://bugzilla.mozilla.org/show_bug.cgi?id=41489 and also the more recent https://bugzilla.mozilla.org/show_bug.cgi?id=656213). It was Andrew Clover's idea to address it using a new auth-param.
We also thank the members of the HTTPAuth Working Group, namely Stephen Farrell, Bjoern Hoehrmann, Amos Jeffries, James Manger, Kathleen Moriarty, Yaron Sheffer, Michael Sweet, and Martin Thomson for feedback on this revision.
[ISO-8859-1] | International Organization for Standardization, "Information technology -- 8-bit single-byte coded graphic character sets -- Part 1: Latin alphabet No. 1", ISO/IEC 8859-1:1998, 1998. |
[RFC2617] | Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A. and L. Stewart, "HTTP Authentication: Basic and Digest Access Authentication", RFC 2617, June 1999. |
[RFC2831] | Leach, P. and C. Newman, "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000. |
[RFC5246] | Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. |
[RFC6973] | Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., Morris, J., Hansen, M. and R. Smith, "Privacy Considerations for Internet Protocols", RFC 6973, July 2013. |
[RFC7231] | Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, June 2014. |
The scheme definition has been rewritten to be consistent with newer specifications such as [RFC7235].
The new authentication parameter "charset" has been added. It is purely advisory, so existing implementations do not need to change, unless they want to take advantage of the additional information which previously wasn't available.
User agents not implementing 'charset' will continue to work as before, ignoring the new parameter.
User agents which already default to the UTF-8 encoding implement 'charset' by definition.
Other user agents can keep their default behavior, and switch to UTF-8 when seeing the new parameter.
Origin servers that do not support non-US-ASCII characters in credentials do not require any changes to support 'charset'.
Origin servers that need to support non-US-ASCII characters, but cannot use the UTF-8 character encoding scheme will not be affected; they will continue to function as well or as badly as before.
Finally, origin servers that need to support non-US-ASCII characters and can use the UTF-8 character encoding scheme can opt in as described above. In the worst case, they'll continue to see either broken credentials or no credentials at all (depending on how legacy clients handle characters they can not encode).
There are sites in use today that default to a local character encoding scheme, such as ISO-8859-1 ([ISO-8859-1]), and expect user agents to use that encoding. Authentication on these sites will stop to work if the user agent switches to a different encoding, such as UTF-8.
Note that sites might even inspect the User-Agent header field ([RFC7231], Section 5.5.3) to decide what character encoding scheme to expect from the client. Therefore they might support UTF-8 for some user agents, but default to something else for others. User agents in the latter group will have to continue to do what they do today until the majority of these servers have been upgraded to always use UTF-8.
This draft acts as a baseline for tracking subsequent changes to the specification. As such, it extracts the definition of "Basic", plus the related Security Considerations, and also adds the IANA registration of the scheme. Changes to the actual definition will be made in subsequent drafts.
Fixed Base64 reference to point to an actual definition of Base64.
Update HTTPbis and Digest references.
Note that this spec, together with HTTPbis P7 and the Digest update, obsoletes RFC 2617.
Rewrote text about authentication parameters and their extensibility.
Pulled in the definition of the "charset" parameter.
Removed a misleading statement about userids potentially being case-sensitive, as the same is true for passwords.
Added TODOs with respect to path matching, and colons in userids.
Minor improvements on Security Considerations.
Update Digest reference.
Rewrite scheme definition as algorithm rather than pseudo-ABNF.
Add a note about colons in userid.
Attempt to explain authentication scopes.