Authors are Yutaka Oiwa, Hajime Watanabe, Hiromitsu Takagi, Tatsuya
Hayashi and Yuichi Ioku. Kathleen Moriarty is the responsible Area
Director. Yoav Nir is the document shepherd.
This document specifies extensions for the HTTP authentication
framework for interactive clients. Currently, fundamental features
of HTTP-level authentication are insufficient for complex
requirements of various Web-based applications. This forces these
applications to implement their own authentication frameworks by
means like HTML forms, which becomes one of the hurdles against
introducing secure authentication mechanisms handled jointly by
servers and user-agent. The extended framework fills gaps between
Web application requirements and HTTP authentication provisions to
solve the above problems, while maintaining compatibility with
existing Web and non-Web uses of HTTP authentications.
Review and Consensus
This document is one in a three-part set of documents describing the
Mutual-Auth authentication method for HTTP. This part extends the HTTP
authentication framework from RFC 7235 to include optional
authentication as well as de-authorization (log out) and finer control
of redirection depending on authentication status.
With version -07 it is the consensus of the HTTP-Auth working group
that this document is fit to be published as an experimental RFC.
The document received a moderate amount of review from the working
group. In addition we solicited and received a review from Cory
There are implementations of this protocol written by the authors.
They take the form of a modified web server and a fork of the Firefox
browser that include this functionality.
All authors have confirmed that they are not aware of any undisclosed
IPR associated with this document. There have been no IPR disclosures.