HTTP Authentication Extensions for Interactive Clients
RFC 8053
|
Document |
Type |
|
RFC - Experimental
(January 2017; No errata)
|
|
Last updated |
|
2017-01-25
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
htmlized
bibtex
|
|
Reviews |
|
|
Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Yoav Nir
|
|
Shepherd write-up |
|
Show
(last changed 2016-07-16)
|
IESG |
IESG state |
|
RFC 8053 (Experimental)
|
|
Consensus Boilerplate |
|
Yes
|
|
Telechat date |
|
|
|
Responsible AD |
|
Kathleen Moriarty
|
|
Send notices to |
|
"Yoav Nir" <ynir.ietf@gmail.com>
|
IANA |
IANA review state |
|
Version Changed - Review Needed
|
|
IANA action state |
|
RFC-Ed-Ack
|
Internet Engineering Task Force (IETF) Y. Oiwa
Request for Comments: 8053 H. Watanabe
Category: Experimental H. Takagi
ISSN: 2070-1721 ITRI, AIST
K. Maeda
T. Hayashi
Lepidum
Y. Ioku
Individual Contributor
January 2017
HTTP Authentication Extensions for Interactive Clients
Abstract
This document specifies extensions for the HTTP authentication
framework for interactive clients. Currently, fundamental features
of HTTP-level authentication are insufficient for complex
requirements of various Web-based applications. This forces these
applications to implement their own authentication frameworks by
means such as HTML forms, which becomes one of the hurdles against
introducing secure authentication mechanisms handled jointly by
servers and user agents. The extended framework fills gaps between
Web application requirements and HTTP authentication provisions to
solve the above problems, while maintaining compatibility with
existing Web and non-Web uses of HTTP authentication.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8053.
Oiwa, et al. Experimental [Page 1]
RFC 8053 HTTP Auth. Ext. for Interactive Clients January 2017
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Oiwa, et al. Experimental [Page 2]
RFC 8053 HTTP Auth. Ext. for Interactive Clients January 2017
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Terms for Describing Authentication Protocol Flow . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 8
3. Optional Authentication . . . . . . . . . . . . . . . . . . . 8
3.1. Note on Optional-WWW-Authenticate and Use of
WWW-Authenticate Header with Non-401 Status . . . . . . . 10
4. Authentication-Control Header . . . . . . . . . . . . . . . . 11
4.1. Non-ASCII Extended Header Parameters . . . . . . . . . . 13
4.2. Auth-Style Parameter . . . . . . . . . . . . . . . . . . 13
4.3. Location-When-Unauthenticated Parameter . . . . . . . . . 14
4.4. No-Auth Parameter . . . . . . . . . . . . . . . . . . . . 15
4.5. Location-When-Logout Parameter . . . . . . . . . . . . . 16
4.6. Logout-Timeout Parameter . . . . . . . . . . . . . . . . 17
4.7. Username Parameter . . . . . . . . . . . . . . . . . . . 17
5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Example 1: A Portal Site . . . . . . . . . . . . . . . . 19
5.1.1. Case 1: A Simple Application . . . . . . . . . . . . 19
5.1.2. Case 2: Specific Action Required on Logout . . . . . 20
5.1.3. Case 3: Specific Page Displayed before Login . . . . 20
5.2. Example 2: Authenticated User-Only Sites . . . . . . . . 20
5.3. When to Use Cookies . . . . . . . . . . . . . . . . . . . 21
Show full document text