Technical Summary
This document specifies extensions for the HTTP authentication
framework for interactive clients. Currently, fundamental features
of HTTP-level authentication are insufficient for complex
requirements of various Web-based applications. This forces these
applications to implement their own authentication frameworks by
means like HTML forms, which becomes one of the hurdles against
introducing secure authentication mechanisms handled jointly by
servers and user-agent. The extended framework fills gaps between
Web application requirements and HTTP authentication provisions to
solve the above problems, while maintaining compatibility with
existing Web and non-Web uses of HTTP authentications.
This document is one in a three-part set of documents describing the
Mutual-Auth authentication method for HTTP. This part extends the HTTP
authentication framework from RFC 7235 to include optional
authentication as well as de-authorization (log out) and finer control
of redirection depending on authentication status.
Working Group Summary
With version -07 it is the consensus of the HTTP-Auth working group
that this document is fit to be published as an experimental RFC.
The document received a moderate amount of review from the working
group. In addition we solicited and received a review from Cory
Benfield.
Document Quality
There are implementations of this protocol written by the authors.
They take the form of a modified web server and a fork of the Firefox
browser that include this functionality.
Personnel
Yoav Nir is the Document Shepherd and
Kathleen Moriarty is the Responsible Area Director
IANA Note
This document establishes a registry with initial entries for HTTP authentication
control parameters. New entries to this registry are by "Specification Required"
described in [RFC5226]. The specification must be publicly accessible.
This document also defines two new entries for the "Permanent Message
Header Field Names" registry