Network Working Group R. Van Rein
Internet-Draft InternetWide.org
Intended status: Standards Track January 24, 2020
Expires: July 27, 2020
User Names for HTTP Resources
draft-vanrein-http-unauth-user-02
Abstract
Most protocols support users under domain names, but HTTP does not.
Usage patterns in the wild do suggest a desire to have this facility.
This specification defines a header for user names, orthogonal to any
authentication or authorisation concerns.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 27, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Van Rein Expires July 27, 2020 [Page 1]
Internet-Draft HTTP user@ January 2020
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The HTTP User Header . . . . . . . . . . . . . . . . . . . . 3
3. Protocol Handling of HTTP User . . . . . . . . . . . . . . . 3
4. Caching Behaviour . . . . . . . . . . . . . . . . . . . . . . 3
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 4
7. Normative References . . . . . . . . . . . . . . . . . . . . 4
Appendix A. HTTP User Environment Variable . . . . . . . . . . . 4
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
Most protocols support Network Access Identifiers [RFC7542] like
john@example.com to identify users like john under domains such as
example.com. The URI format for HTTP can express [Section 2.7.1 of
[RFC7230]] such authority sections, and many online applications seem
to want to address individual users, but HTTP URIs do not usually
express user names. This specification therefore introduces a header
"User", in close parallel to the "Host" header.
Historically, user names have been coupled to (Basic and Digest)
authentication. This is not generally correct; the user name in the
URI indicates a resource name space, not an (authenticating) visitor.
By using a new header field, this specification allows authentication
to be orthogonal to resource name space selection.
Some user agents have supported (Basic and Digest) authentication
with a "user:password" format in the authority section of URIs. This
has now been deprecated [Section 3.2.1 of [RFC3986]] but the form
with just "user" and no ":password" continues to be acceptable.
Various HTTP clients have different handling for this form, sometimes
flagging it incorrectly as a security hazard, which also motivates a
specification for proper handling.
TODO: Issue filed with HTTPbis, https://github.com/httpwg/http-core/
issues/278 and offered a Pull Request, https://github.com/httpwg/
http-core/compare/master...arpa2:userinfo-password as a followup of
somewhat late Errata against RFC7230, https://www.rfc-
editor.org/errata/eid5964
The purpose of this specification is to define clear meaning for HTTP
URIs with a user name.
Van Rein Expires July 27, 2020 [Page 2]
Internet-Draft HTTP user@ January 2020
2. The HTTP User Header
The "User" header field provides an aspect of the desired resource
name scope. The value is usually taken from the authority section
[Section 3.2 of [RFC3986]] of the target URI and MUST NOT include a
":" colon (U+003a) character.
The User header value holds precisely one value with the following
ABNF grammar:
User = 1*( unreserved / pct-encoded / sub-delims )
The referenced non-terminals are as for URIs [RFC3986]. Zeal in the
use of the "pct-encoded" non-terminal for plain characters that have
a direct representation MAY be treated as an attempted attack.
The User header MAY appear in requests and MUST NOT occur in
responses.
When unrecognised by HTTP servers, the User header is ignored
[Section 3.2.1 of [RFC7230]]. Intermediates such as proxies and
caches MUST NOT add, remove or modify the User header.
3. Protocol Handling of HTTP User
User agents SHOULD render user names in authority sections whenever
they render host names, though it may be helpful if it stands out
graphically [Section 7.6 of [RFC3986]]. User agents SHOULD NOT
remove user names from the target URI. User agents MAY remove the
"@" (U+0040) symbol from a URI when the preceding user name is empty.
User agents MUST refuse URIs with a ":" colon (U+003a) in the user
name but MUST NOT complain about a user name that does not have that
character.
During redirects or other traversals to (relative) HTTP URIs, the
user name MUST be overwritten when the new URI specifies an authority
component, and it MUST be kept otherwise.
4. Caching Behaviour
The privacy or security of an HTTP resource is not impacted by the
use of a User header. This is because User is about resource
location, but not about client identity.
HTTP caches [RFC7234] need to distinguish requests with different
User header values. The Vary header [Section 7.1.4 of [RFC7231]]
MUST be present in the matching response, and the header MUST either
be a single "*" star (U+002a) or list the "user" name, for all
Van Rein Expires July 27, 2020 [Page 3]
Internet-Draft HTTP user@ January 2020
responses whose processing was influenced by the User header. This
requirement does not apply to software and configurations that ignore
the User header.
5. IANA Considerations
IANA adds the following entry to the Message Headers registry:
Header Field Name Template Protocol Status Reference
------------------ --------- --------- ------- ----------
User http TBD TBD:THIS_SPEC
6. Security Considerations
The User header field as defined herein is orthogonal to issues of
authentication or authorisation, and adds no security concerns.
7. Normative References
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>.
[RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
RFC 7234, DOI 10.17487/RFC7234, June 2014,
<https://www.rfc-editor.org/info/rfc7234>.
[RFC7542] DeKok, A., "The Network Access Identifier", RFC 7542,
DOI 10.17487/RFC7542, May 2015,
<https://www.rfc-editor.org/info/rfc7542>.
Appendix A. HTTP User Environment Variable
The following variable SHOULD be passed up to applications on a HTTP
server:
Van Rein Expires July 27, 2020 [Page 4]
Internet-Draft HTTP user@ January 2020
HTTP_USER gives the HTTP User header value after parsing and
percent-decoding. Like the customary variables HTTP_HOST and
PATH_INFO, this specifies the resource being requested. The
HTTP_USER header does not describe the identity of the HTTP
client.
Author's Address
Rick van Rein
InternetWide.org
Haarlebrink 5
Enschede, Overijssel 7544 WP
The Netherlands
Email: rick@openfortress.nl
Van Rein Expires July 27, 2020 [Page 5]