HTTP Authentication Extensions for Interactive Clients
RFC 8053
Document Type RFC - Experimental (January 2017; No errata)
Last updated 2017-01-25
Stream IETF
Formats plain text pdf htmlized bibtex
Reviews
GENART Last Call Review (of -08): Almost Ready
OPSDIR Telechat Review (of -06): Has Nits
Stream WG state Submitted to IESG for Publication
Document shepherd Yoav Nir
Shepherd write-up Show (last changed 2016-07-16)
IESG IESG state RFC 8053 (Experimental)
Consensus Boilerplate Yes
Telechat date
Responsible AD Kathleen Moriarty
Send notices to "Yoav Nir" <ynir.ietf@gmail.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                           Y. Oiwa
Request for Comments: 8053                                   H. Watanabe
Category: Experimental                                         H. Takagi
ISSN: 2070-1721                                               ITRI, AIST
                                                                K. Maeda
                                                              T. Hayashi
                                                                 Lepidum
                                                                 Y. Ioku
                                                  Individual Contributor
                                                            January 2017

         HTTP Authentication Extensions for Interactive Clients

Abstract

   This document specifies extensions for the HTTP authentication
   framework for interactive clients.  Currently, fundamental features
   of HTTP-level authentication are insufficient for complex
   requirements of various Web-based applications.  This forces these
   applications to implement their own authentication frameworks by
   means such as HTML forms, which becomes one of the hurdles against
   introducing secure authentication mechanisms handled jointly by
   servers and user agents.  The extended framework fills gaps between
   Web application requirements and HTTP authentication provisions to
   solve the above problems, while maintaining compatibility with
   existing Web and non-Web uses of HTTP authentication.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for examination, experimental implementation, and
   evaluation.

   This document defines an Experimental Protocol for the Internet
   community.  This document is a product of the Internet Engineering
   Task Force (IETF).  It represents the consensus of the IETF
   community.  It has received public review and has been approved for
   publication by the Internet Engineering Steering Group (IESG).  Not
   all documents approved by the IESG are a candidate for any level of
   Internet Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8053.

Oiwa, et al.                  Experimental                      [Page 1]
RFC 8053         HTTP Auth. Ext. for Interactive Clients    January 2017

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Oiwa, et al.                  Experimental                      [Page 2]
RFC 8053         HTTP Auth. Ext. for Interactive Clients    January 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   4
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Definitions . . . . . . . . . . . . . . . . . . . . . . . . .   5
     2.1.  Terms for Describing Authentication Protocol Flow . . . .   5
     2.2.  Syntax Notation . . . . . . . . . . . . . . . . . . . . .   8
   3.  Optional Authentication . . . . . . . . . . . . . . . . . . .   8
     3.1.  Note on Optional-WWW-Authenticate and Use of
           WWW-Authenticate Header with Non-401 Status . . . . . . .  10
   4.  Authentication-Control Header . . . . . . . . . . . . . . . .  11
     4.1.  Non-ASCII Extended Header Parameters  . . . . . . . . . .  13
     4.2.  Auth-Style Parameter  . . . . . . . . . . . . . . . . . .  13
     4.3.  Location-When-Unauthenticated Parameter . . . . . . . . .  14
     4.4.  No-Auth Parameter . . . . . . . . . . . . . . . . . . . .  15
     4.5.  Location-When-Logout Parameter  . . . . . . . . . . . . .  16
     4.6.  Logout-Timeout Parameter  . . . . . . . . . . . . . . . .  17
     4.7.  Username Parameter  . . . . . . . . . . . . . . . . . . .  17
   5.  Usage Examples  . . . . . . . . . . . . . . . . . . . . . . .  18
     5.1.  Example 1: A Portal Site  . . . . . . . . . . . . . . . .  19
       5.1.1.  Case 1: A Simple Application  . . . . . . . . . . . .  19
       5.1.2.  Case 2: Specific Action Required on Logout  . . . . .  20
       5.1.3.  Case 3: Specific Page Displayed before Login  . . . .  20
     5.2.  Example 2: Authenticated User-Only Sites  . . . . . . . .  20
     5.3.  When to Use Cookies . . . . . . . . . . . . . . . . . . .  21
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools