One document matched: draft-ietf-httpauth-basicauth-update-03.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
This XML document is the output of clean-for-DTD.xslt; a tool that strips
extensions to RFC2629(bis) from documents for processing with xml2rfc.
-->
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc subcompact="no"?>
<?rfc rfcedstyle="yes"?>
<!DOCTYPE rfc
PUBLIC "" "rfc2629.dtd">
<rfc ipr="pre5378Trust200902" docName="draft-ietf-httpauth-basicauth-update-03" category="std" obsoletes="2617">
<front>
<title abbrev="'Basic' HTTP Authentication Scheme">The 'Basic' HTTP Authentication Scheme</title>
<author initials="J. F." surname="Reschke" fullname="Julian F. Reschke">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<street>Hafenweg 16</street>
<city>Muenster</city><region>NW</region><code>48155</code>
<country>Germany</country>
</postal>
<email>julian.reschke@greenbytes.de</email>
<uri>http://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<date year="2014" month="December" day="2"/>
<area>Security</area>
<workgroup>HTTPAuth Working Group</workgroup>
<keyword>HTTP</keyword>
<keyword>authentication scheme</keyword>
<abstract>
<t>
This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme, which transmits credentials as userid/password
pairs, obfuscated by the use of Base64 encoding.
</t>
</abstract>
<note title="Editorial Note (To be removed by RFC Editor before publication)">
<t>
Discussion of this draft takes place on the HTTPAuth working group
mailing list (http-auth@ietf.org), which is archived at
<eref target="http://www.ietf.org/mail-archive/web/http-auth/current/maillist.html"/>.
</t>
<t>
XML versions, latest edits and the issues list for this document
are available from <eref target="http://greenbytes.de/tech/webdav/#draft-ietf-httpauth-basicauth-update"/>.
</t>
<t>
The changes in this draft are summarized in <xref target="changes.since.02"/>.
</t>
</note>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>
This document defines the "Basic" Hypertext Transfer Protocol (HTTP)
Authentication Scheme (<xref target="RFC7235"/>),
which transmits credentials as userid/password pairs, obfuscated by the use
of Base64 encoding.
</t>
<t>
This scheme is not considered to be a secure method of user authentication
unless used in conjunction with some external secure system such as TLS
(Transport Layer Security, <xref target="RFC5246"/>), as the user name and
password are passed over the network as cleartext.
</t>
<t>
The "Basic" scheme previously was defined in Section 2 of <xref target="RFC2617"/>.
This document updates the definition, and also addresses internationalization issues
by introducing the "charset" authentication parameter (<xref target="charset"/>).
</t>
<t>
Other documents updating RFC 2617 are "Hypertext Transfer Protocol (HTTP/1.1): Authentication"
(<xref target="RFC7235"/>, defining the authentication framework) and
"HTTP Digest Access Authentication" (<xref target="DIGEST"/>,
updating the definition of the '"Digest" authentication scheme). Taken together,
these three documents obsolete RFC 2617.
</t>
<section anchor="notational.conventions" title="Notational Conventions">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in <xref target="RFC2119"/>.
</t>
<section anchor="syntax.notation" title="Syntax Notation">
<t>
This specification uses the Augmented Backus-Naur Form (ABNF) notation
of <xref target="RFC5234"/>.
</t>
<t>
The terms protection space and realm are
defined in Section 2.2 of <xref target="RFC7235"/>.
</t>
<t>
The terms (character) repertoire and
character encoding scheme are defined in
Section 2 of <xref target="RFC6365"/>.
</t>
</section>
</section>
</section>
<section anchor="basic.authentication.scheme" title="The 'Basic' Authentication Scheme">
<t>
The "Basic" authentication scheme is based on the model that the
client needs to authenticate itself with a user-ID and a password for
each protection space ("realm"). The realm value is an opaque string
which can only be compared for equality with other realms on that
server. The server will service the request only if it can validate
the user-ID and password for the protection space applying to the
requested resource.
</t>
<t>
The "Basic" authentication scheme utilizes the Authentication Framework as
follows:
</t>
<t>
In challenges:
<list style="symbols">
<t>the scheme name is "Basic"</t>
<t>the authentication parameter "realm" is REQUIRED (<xref target="RFC7235"/>, Section 2.2)</t>
<t>the authentication parameter "charset" is OPTIONAL (see <xref target="charset"/>)</t>
<t>no other authentication parameters are defined — unknown parameters MUST
be ignored by recipients, and new parameters can only be defined by revising this
specification</t>
</list>
</t>
<t>
Note that both scheme and parameter names are matched case-insensitively.
</t>
<t>
For credentials, the "token-68" syntax defined in Section 2.2 of <xref target="RFC7235"/>
is used. The value is computed based on user-id and password as defined below.
</t>
<t>
Upon receipt of a request for a URI within the protection space that lacks
credentials, the server can reply with a challenge using the
401 (Unauthorized) status code (<xref target="RFC7235"/>, Section 3.1) and the WWW-Authenticate header field
(<xref target="RFC7235"/>, Section 4.1).
</t>
<figure>
<preamble>For instance:</preamble>
<artwork type="message/http; msgtype="request""><![CDATA[
HTTP/1.1 401 Unauthorized
Date: Mon, 04 Feb 2014 16:50:53 GMT
WWW-Authenticate: Basic realm="WallyWorld"
]]></artwork>
<postamble>...where "WallyWorld" is the string assigned by the server to identify
the protection space.</postamble>
</figure>
<t>
A proxy can respond with a similar challenge using the 407 (Proxy Authentication Required)
status code (<xref target="RFC7235"/>, Section 3.2) and the Proxy-Authenticate header field (<xref target="RFC7235"/>, Section 4.3).
</t>
<t>
To receive authorization, the client
<list style="numbers">
<t>obtains userid and password from the user,</t>
<t>constructs the user-pass by concatenating userid, a single colon (":") character, and the password,</t>
<t>encodes the user-pass into an octet sequence (see below for a discussion of character encoding schemes),</t>
<t>and obtains the basic-credentials by encoding this octet sequence using base64 (<xref target="RFC4648"/>, Section 4) into a sequence of US-ASCII characters (<xref target="USASCII"/>).</t>
</list>
</t>
<t>
The original definition of this authentication scheme failed to
specify the character encoding scheme used to convert the user-pass into
an octet sequence. In practice, most implementations chose either a local-specific
encoding such as ISO-8859-1 (<xref target="ISO-8859-1"/>), or UTF-8
(<xref target="RFC3629"/>). For backwards compatibility reasons, this specification
continues to leave the default encoding undefined, as long as it is compatible
to US-ASCII (mapping any US-ASCII character to a single octet matching the
US-ASCII character code).
</t>
<t>
Userid and password MUST NOT contain any control characters (see
"CTL" in Appendix B.1 of <xref target="RFC5234"/>).
</t>
<t>
Furthermore, a userid containing a colon character is invalid, as recipients will
split the user-pass at the first occurence of a colon character. Note that
many user agents however will accept a colon in userid, thereby
producing a user-pass string that recipients will likely treat in a way
not intended by the user.
</t>
<figure>
<preamble>
If the user agent wishes to send the userid "Aladdin" and password
"open sesame", it would use the following header field:</preamble>
<artwork type="example"><![CDATA[
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
]]></artwork></figure>
<section anchor="charset" title="The 'charset' auth-param">
<t>
In challenges, servers can use the "charset" authentication parameter
to indicate the character encoding scheme they expect the user
agent to use when generating "user-pass" (a sequence of octets). This
information is purely advisory.
</t>
<t>
The only allowed value is "UTF-8", to be matched case-insensitively
(see <xref target="RFC2978"/>, Section 2.3). It indicates that
the server expects character data to be converted to Unicode
Normalization Form C ("NFC", see Section 3 of <xref target="RFC5198"/>)
and to be encoded into octets using the UTF-8 character encoding scheme
(<xref target="RFC3629"/>).
</t>
<t>
For the userid, recipients MUST support all characters defined
in the "UsernameCasePreserved" profile defined in
in Section 3.3 of <xref target="PRECIS"/>, with the exception of the
colon (":") character.
</t>
<t>
For the password, recipients MUST support all characters defined
in the "Password" profile defined in
in Section 4.2 of <xref target="PRECIS"/>.
</t>
<t>
Other values are reserved for future use.
</t>
<t><list>
<t>
Note: The 'charset' is only defined on challenges, as "Basic"
uses a single token for credentials ('token68' syntax), thus the
credentials syntax isn't extensible.
</t>
</list></t>
<t><list>
<t>
Note: The name 'charset' has been chosen for consistency with
Section 2.1.1 of <xref target="RFC2831"/>. A better name would have
been 'accept-charset', as it is not about the message it appears in, but
the server's expectation.
</t>
</list></t>
<figure>
<preamble>In the example below, the server prompts for authentication in the "foo" realm,
using Basic authentication, with a preference for the UTF-8 character encoding scheme:</preamble>
<artwork type="example"><![CDATA[
WWW-Authenticate: Basic realm="foo", charset="UTF-8"
]]></artwork>
<postamble>Note that the parameter value can be either a token or a quoted
string; in this case the server chose to use the quoted-string notation.</postamble>
</figure>
<t>
The user's name is "test", and the password is the string "123" followed by
the Unicode character U+00A3 (POUND SIGN). Using the character encoding
scheme UTF-8, the user-pass becomes:
</t>
<figure><artwork type="example"><![CDATA[
't' 'e' 's' 't' ':' '1' '2' '3' pound
74 65 73 74 3A 31 32 33 C2 A3
]]></artwork></figure>
<t>
Encoding this octet sequence in Base64 (<xref target="RFC4648"/>, Section 4) yields:
</t>
<figure><artwork type="example"><![CDATA[
dGVzdDoxMjPCow==
]]></artwork></figure>
<t>
Thus the Authorization header field would be:
</t>
<figure><artwork type="example"><![CDATA[
Authorization: Basic dGVzdDoxMjPCow==
]]></artwork></figure>
<t>
Or, for proxy authentication:
</t>
<figure><artwork type="example"><![CDATA[
Proxy-Authorization: Basic dGVzdDoxMjPCow==
]]></artwork></figure>
</section>
<section anchor="reusing.credentials" title="Re-using Credentials">
<t>
Given the absolute URI (<xref target="RFC3986"/>, Section 4.3)
of an authenticated request, the authentication scope of
that request is obtained by removing all characters after the last
slash ("/") character. A client SHOULD assume that resources identified
by URIs with a prefix-match of the authentication scope are also
within the protection space specified by the realm value of
the that authenticated request.
</t>
<t>
A client MAY preemptively send the corresponding Authorization header
field with requests for resources in
that space without receipt of another challenge from the server.
Similarly, when a client sends a request to a proxy, it may reuse a
userid and password in the Proxy-Authorization header field without
receiving another challenge from the proxy server.
</t>
<figure>
<preamble>
For example, given an authenticated request to:
</preamble>
<artwork type="example"><![CDATA[
http://example.com/docs/index.html
]]></artwork>
</figure>
<figure>
<preamble>
...requests to the URIs below could use the known credentials:
</preamble>
<artwork type="example"><![CDATA[
http://example.com/docs/
http://example.com/docs/test.doc
http://example.com/docs/?page=1
]]></artwork>
</figure>
<figure>
<preamble>
...while the URIs
</preamble>
<artwork type="example"><![CDATA[
http://example.com/other/
https://example.com/docs/
]]></artwork>
<postamble>
would be considered to be outside the authentication scope.
</postamble>
</figure>
<t>
Note that a URI can be part of multiple authentication scopes (such
as "http://example.com/" and "http://example.com/docs/"). This specification
does not define which of these should be treated with higher priority.
</t>
</section>
</section>
<section anchor="internationalization.considerations" title="Internationalization Considerations">
<t>
User names or passwords containing characters outside the US-ASCII
character repertoire will cause interoperability issues, unless both
communication partners agree on what character encoding scheme is to be
used. Senders can use the new 'charset' parameter (<xref target="charset"/>)
to indicate a preference of "UTF-8", increasing the probability that clients
will switch to that encoding.
</t>
<t>
The "realm" parameter carries data that can be considered textual, however
<xref target="RFC7235"/> does not define a way to reliably transport non-US-ASCII
characters. This is a known issue that would need to be addressed in that
specification.
</t>
</section>
<section anchor="security.considerations" title="Security Considerations">
<t>
The Basic authentication scheme is not a secure method of user
authentication, nor does it in any way protect the entity, which is
transmitted in cleartext across the physical network used as the
carrier. HTTP does not prevent the addition of enhancements (such as
schemes to use one-time passwords) to Basic authentication.
</t>
<t>
The most serious flaw in Basic authentication is that it results in
the essentially cleartext transmission of the user's password over
the physical network. Many other authentication schemes address this
problem.
</t>
<t>
Because Basic authentication involves the cleartext transmission of
passwords it SHOULD NOT be used (without enhancements) to protect
sensitive or valuable information.
</t>
<t>
A common use of Basic authentication is for identification purposes
— requiring the user to provide a user name and password as a means
of identification, for example, for purposes of gathering accurate
usage statistics on a server. When used in this way it is tempting to
think that there is no danger in its use if illicit access to the
protected documents is not a major concern. This is only correct if
the server issues both user name and password to the users and in
particular does not allow the user to choose his or her own password.
The danger arises because naive users frequently reuse a single
password to avoid the task of maintaining multiple passwords.
</t>
<t>
If a server permits users to select their own passwords, then the
threat is not only unauthorized access to documents on the server but
also unauthorized access to any other resources on other systems that
the user protects with the same password. Furthermore, in the
server's password database, many of the passwords may also be users'
passwords for other sites. The owner or administrator of such a
system could therefore expose all users of the system to the risk of
unauthorized access to all those sites if this information is not
maintained in a secure fashion. This raises both security and privacy
concerns (<xref target="RFC6973"/>). If the same username and password
combination is in use to access other accounts, such as an email or health
portal account, personal information could be exposed.
</t>
<t>
Basic Authentication is also vulnerable to spoofing by counterfeit
servers. If a user can be led to believe that he is connecting to a
host containing information protected by Basic authentication when,
in fact, he is connecting to a hostile server or gateway, then the
attacker can request a password, store it for later use, and feign an
error. This type of attack is not possible with Digest
Authentication. Server implementers SHOULD guard against the
possibility of this sort of counterfeiting by gateways or CGI
scripts. In particular it is very dangerous for a server to simply
turn over a connection to a gateway. That gateway can then use the
persistent connection mechanism to engage in multiple transactions
with the client while impersonating the original server in a way that
is not detectable by the client.
</t>
<t>
The use of the UTF-8 character encoding scheme introduces additional
security considerations; see Section 10 of <xref target="RFC3629"/>
for more information.
</t>
</section>
<section anchor="iana.considerations" title="IANA Considerations">
<t>
IANA maintains the registry of HTTP Authentication Schemes (<xref target="RFC7235"/>)
at <eref target="http://www.iana.org/assignments/http-authschemes"/>.
</t>
<t>
The entry for the "Basic" Authentication Scheme shall be updated with a pointer
to this specification.
</t>
</section>
<section title="Acknowledgements">
<t>
This specification takes over the definition of the "Basic" HTTP Authentication
Scheme, previously defined in RFC 2617. We thank John Franks,
Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence,
Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work on
that specification, from which significant amounts of text were borrowed.
See Section 6 of <xref target="RFC2617"/> for further acknowledgements.
</t>
<t>
The internationalization problem with respect to the character encoding scheme
used for user-pass has been reported as a Mozilla bug back in the year 2000 (see <eref target="https://bugzilla.mozilla.org/show_bug.cgi?id=41489"/>
and also the more recent <eref target="https://bugzilla.mozilla.org/show_bug.cgi?id=656213"/>).
It was Andrew Clover's idea to address it using a new auth-param.
</t>
<t>
We also thank the members of the HTTPAuth Working Group, namely Stephen Farrell, Bjoern Hoehrmann, Amos Jeffries, James Manger,
Kathleen Moriarty, Yaron Sheffer, Michael Sweet, and Martin Thomson for feedback on this revision.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<reference anchor="RFC2119">
<front>
<title abbrev="RFC Key Words">Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials="S." surname="Bradner" fullname="Scott Bradner"/>
<date month="March" year="1997"/>
</front>
<seriesInfo name="BCP" value="14"/>
<seriesInfo name="RFC" value="2119"/>
</reference>
<reference anchor="RFC2978">
<front>
<title>IANA Charset Registration Procedures</title>
<author initials="N." surname="Freed" fullname="N. Freed"/>
<author initials="J." surname="Postel" fullname="J. Postel"/>
<date year="2000" month="October"/>
</front>
<seriesInfo name="BCP" value="19"/>
<seriesInfo name="RFC" value="2978"/>
</reference>
<reference anchor="RFC3629">
<front>
<title>UTF-8, a transformation format of ISO 10646</title>
<author initials="F." surname="Yergeau" fullname="F. Yergeau">
<organization>Alis Technologies</organization>
<address><email>fyergeau@alis.com</email></address>
</author>
<date month="November" year="2003"/>
</front>
<seriesInfo name="STD" value="63"/>
<seriesInfo name="RFC" value="3629"/>
</reference>
<reference anchor="RFC3986">
<front>
<title abbrev="URI Generic Syntax">Uniform Resource Identifier (URI): Generic Syntax</title>
<author initials="T." surname="Berners-Lee" fullname="Tim Berners-Lee"/>
<author initials="R." surname="Fielding" fullname="Roy T. Fielding"/>
<author initials="L." surname="Masinter" fullname="Larry Masinter"/>
<date month="January" year="2005"/>
</front>
<seriesInfo name="STD" value="66"/>
<seriesInfo name="RFC" value="3986"/>
</reference>
<reference anchor="RFC4648">
<front>
<title>The Base16, Base32, and Base64 Data Encodings</title>
<author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
<date year="2006" month="October"/>
</front>
<seriesInfo value="4648" name="RFC"/>
</reference>
<reference anchor="RFC5198">
<front>
<title>Unicode Format for Network Interchange</title>
<author initials="J." surname="Klensin" fullname="J. Klensin"/>
<author initials="M." surname="Padlipsky" fullname="M. Padlipsky"/>
<date year="2008" month="March"/>
</front>
<seriesInfo name="RFC" value="5198"/>
</reference>
<reference anchor="RFC5234">
<front>
<title abbrev="ABNF for Syntax Specifications">Augmented BNF for Syntax Specifications: ABNF</title>
<author initials="D." surname="Crocker" fullname="Dave Crocker" role="editor">
<organization>Brandenburg InternetWorking</organization>
<address>
<email>dcrocker@bbiw.net</email>
</address>
</author>
<author initials="P." surname="Overell" fullname="Paul Overell">
<organization>THUS plc.</organization>
<address>
<email>paul.overell@thus.net</email>
</address>
</author>
<date month="January" year="2008"/>
</front>
<seriesInfo name="STD" value="68"/>
<seriesInfo name="RFC" value="5234"/>
</reference>
<reference anchor="RFC6365">
<front>
<title>Terminology Used in Internationalization in the IETF</title>
<author initials="P." surname="Hoffman" fullname="P. Hoffman"/>
<author initials="J." surname="Klensin" fullname="J. Klensin"/>
<date year="2011" month="September"/>
</front>
<seriesInfo name="BCP" value="166"/>
<seriesInfo name="RFC" value="6365"/>
</reference>
<reference anchor="RFC7235">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Authentication</title>
<author fullname="Roy T. Fielding" initials="R." role="editor" surname="Fielding"/>
<author fullname="Julian F. Reschke" initials="J. F." role="editor" surname="Reschke"/>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7235"/>
</reference>
<reference anchor="DIGEST">
<front>
<title>HTTP Digest Access Authentication</title>
<author initials="R." surname="Shekh-Yusef" fullname="Rifaat Shekh-Yusef" role="editor"/>
<author initials="D." surname="Ahrens" fullname="David Ahrens"/>
<author initials="S." surname="Bremer" fullname="Sophie Bremer"/>
<date month="August" year="2014"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpauth-digest-08"/>
</reference>
<reference anchor="USASCII">
<front>
<title>Coded Character Set -- 7-bit American Standard Code for Information Interchange</title>
<author>
<organization>American National Standards Institute</organization>
</author>
<date year="1986"/>
</front>
<seriesInfo name="ANSI" value="X3.4"/>
</reference>
<reference anchor="PRECIS">
<front>
<title>Preparation, Enforcement, and Comparison of Internationalized Strings Representing Usernames and Passwords</title>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre"/>
<author initials="A." surname="Melnikov" fullname="Alexey Melnikow"/>
<date year="2014" month="November"/>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-precis-saslprepbis-11"/>
</reference>
</references>
<references title="Informative References">
<reference anchor="ISO-8859-1">
<front>
<title>Information technology -- 8-bit single-byte coded graphic character sets -- Part 1: Latin alphabet No. 1</title>
<author>
<organization>International Organization for Standardization</organization>
</author>
<date year="1998"/>
</front>
<seriesInfo name="ISO/IEC" value="8859-1:1998"/>
</reference>
<reference anchor="RFC2617">
<front>
<title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title>
<author initials="J." surname="Franks" fullname="John Franks"/>
<author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker"/>
<author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler"/>
<author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence"/>
<author initials="P.J." surname="Leach" fullname="Paul J. Leach"/>
<author initials="A." surname="Luotonen" fullname="Ari Luotonen"/>
<author initials="L." surname="Stewart" fullname="Lawrence C. Stewart"/>
<date month="June" year="1999"/>
</front>
<seriesInfo name="RFC" value="2617"/>
</reference>
<reference anchor="RFC2831">
<front>
<title>Using Digest Authentication as a SASL Mechanism</title>
<author initials="P." surname="Leach" fullname="P. Leach"/>
<author initials="C." surname="Newman" fullname="C. Newman"/>
<date year="2000" month="May"/>
</front>
<seriesInfo name="RFC" value="2831"/>
</reference>
<reference anchor="RFC5246">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
<author initials="T." surname="Dierks" fullname="T. Dierks"/>
<author initials="E." surname="Rescorla" fullname="E. Rescorla"/>
<date year="2008" month="August"/>
</front>
<seriesInfo name="RFC" value="5246"/>
</reference>
<reference anchor="RFC6973">
<front>
<title>Privacy Considerations for Internet Protocols</title>
<author initials="A." surname="Cooper" fullname="Alissa Cooper"/>
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig"/>
<author initials="B." surname="Aboba" fullname="Bernard Aboba"/>
<author initials="J." surname="Peterson" fullname="Jon Peterson"/>
<author initials="J." surname="Morris" fullname="John B. Morris"/>
<author initials="M." surname="Hansen" fullname="Marit Hansen"/>
<author initials="R." surname="Smith" fullname="Rhys Smith"/>
<date year="2013" month="July"/>
</front>
<seriesInfo name="RFC" value="6973"/>
</reference>
<reference anchor="RFC7231">
<front>
<title>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</title>
<author fullname="Roy T. Fielding" initials="R." role="editor" surname="Fielding">
<organization abbrev="Adobe">Adobe Systems Incorporated</organization>
<address><email>fielding@gbiv.com</email></address>
</author>
<author fullname="Julian F. Reschke" initials="J. F." role="editor" surname="Reschke">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address><email>julian.reschke@greenbytes.de</email></address>
</author>
<date month="June" year="2014"/>
</front>
<seriesInfo name="RFC" value="7231"/>
</reference>
</references>
<section title="Changes from RFC 2617">
<t>
The scheme definition has been rewritten to be consistent with newer
specifications such as <xref target="RFC7235"/>.
</t>
<t>
The new authentication parameter "charset" has been added. It is purely
advisory, so existing implementations do not need to change, unless
they want to take advantage of the additional information which
previously wasn't available.
</t>
</section>
<section title="Deployment Considerations for the 'charset' Parameter">
<section title="User Agents">
<t>
User agents not implementing 'charset' will continue to work as
before, ignoring the new parameter.
</t>
<t>
User agents which already default to the UTF-8 encoding implement
'charset' by definition.
</t>
<!-- TODO: check whether XHR still says this <t>
Note that some user agents also have different defaults depending
on whether the request originates from page navigation as opposed to a
script-driven request using XMLHttpRequest <xref target="XHR"/>.
</t>-->
<t>
Other user agents can keep their default behavior, and switch to UTF-8
when seeing the new parameter.
</t>
</section>
<section title="Origin Servers">
<t>
Origin servers that do not support non-US-ASCII characters in credentials do not
require any changes to support 'charset'.
</t>
<t>
Origin servers that need to support non-US-ASCII characters, but cannot use
the UTF-8 character encoding scheme will not be affected; they will continue to function
as well or as badly as before.
</t>
<t>
Finally, origin servers that need to support non-US-ASCII characters and can
use the UTF-8 character encoding scheme can opt in as described above. In the worst case,
they'll continue to see either broken credentials or no credentials at
all (depending on how legacy clients handle characters they can not
encode).
</t>
</section>
<section title="Why not simply switch the default encoding to UTF-8?">
<t>
There are sites in use today that default to a local character encoding scheme, such as
ISO-8859-1 (<xref target="ISO-8859-1"/>), and expect user agents to use that encoding. Authentication on these sites
will stop to work if the user agent switches to a different encoding, such as UTF-8.
</t>
<t>
Note that sites might even inspect the User-Agent header field
(<xref target="RFC7231"/>, Section 5.5.3) to decide what character encoding scheme to expect from the client.
Therefore they might support UTF-8 for some user agents, but default to
something else for others. User agents in the latter group will have to
continue to do what they do today until the majority of these servers
have been upgraded to always use UTF-8.
</t>
</section>
</section>
<section anchor="change.log" title="Change Log (to be removed by RFC Editor before publication)">
<section anchor="changes.since.rfc2617" title="Since RFC 2617">
<t>
This draft acts as a baseline for tracking subsequent changes to the
specification. As such, it extracts the definition of "Basic", plus the related Security
Considerations, and also adds the IANA registration of the scheme.
Changes to the actual definition will be made in subsequent drafts.
</t>
</section>
<section anchor="changes.since.00" title="Since draft-ietf-httpauth-basicauth-update-00">
<t>
Fixed Base64 reference to point to an actual definition of Base64.
</t>
<t>
Update HTTPbis and Digest references.
</t>
<t>
Note that this spec, together with HTTPbis P7 and the Digest update, obsoletes RFC 2617.
</t>
<t>
Rewrote text about authentication parameters and their extensibility.
</t>
<t>
Pulled in the definition of the "charset" parameter.
</t>
<t>
Removed a misleading statement about userids potentially being case-sensitive,
as the same is true for passwords.
</t>
<t>
Added TODOs with respect to path matching, and colons in userids.
</t>
</section>
<section anchor="changes.since.01" title="Since draft-ietf-httpauth-basicauth-update-01">
<t>
Minor improvements on Security Considerations.
</t>
<t>
Update Digest reference.
</t>
<t>
Rewrite scheme definition as algorithm rather than pseudo-ABNF.
</t>
<t>
Add a note about colons in userid.
</t>
<t>
Attempt to explain authentication scopes.
</t>
</section>
<section anchor="changes.since.02" title="Since draft-ietf-httpauth-basicauth-update-02">
<t>
Reference draft-ietf-precis-saslprepbis for the set of characters that
need to be supported in userids and passwords.
</t>
</section>
</section>
</back>
</rfc>| PAFTECH AB 2003-2026 | 2026-04-23 02:47:55 |