Accept-Auth HTTP Header for 3xx/401 Negotiation, and Redirect Authentication Scheme

Document Type Expired Internet-Draft (individual)
Author Nicolás Williams 
Last updated 2020-10-12 (latest revision 2020-04-10)
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The Hyper-Text Transport Protocol (HTTP) offers several authentication schemes, but many sites use redirection-based protocols to authenticate users. Some servers are faced with a connundrum, having to choose between two mutually-exclusive options: redirect responses or 401 (authentication required) responses without knowing which the user-agent is most likely to support. This document specifies new HTTP request headers by which many applications can improve interoperability even without changing their HTTP implementations. These new headers allow user-agents to advertise authentication- and redirect-related capbilities that servers can use to better make authentication and/or redirect decisions. Also specified is a new HTTP authentication scheme named "Redirect" that enables communication between redirecting and redirected authorities via preservation of "Authorization" headers across redirections. This enables arbitrary authentication and authorization protocols to work without requiring user-agent support for them and without having to (ab)use URI query parameters.


Nicolás Williams (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)