draft-ietf-httpauth-extension-09.txt   rfc8053.txt 
HTTPAUTH Working Group Y. Oiwa Internet Engineering Task Force (IETF) Y. Oiwa
Internet-Draft H. Watanabe Request for Comments: 8053 H. Watanabe
Intended status: Experimental H. Takagi Category: Experimental H. Takagi
Expires: March 21, 2017 ITRI, AIST ISSN: 2070-1721 ITRI, AIST
K. Maeda K. Maeda
T. Hayashi T. Hayashi
Lepidum Lepidum
Y. Ioku Y. Ioku
Individual Individual Contributor
September 17, 2016 January 2017
HTTP Authentication Extensions for Interactive Clients HTTP Authentication Extensions for Interactive Clients
draft-ietf-httpauth-extension-09
Abstract Abstract
This document specifies extensions for the HTTP authentication This document specifies extensions for the HTTP authentication
framework for interactive clients. Currently, fundamental features framework for interactive clients. Currently, fundamental features
of HTTP-level authentication are insufficient for complex of HTTP-level authentication are insufficient for complex
requirements of various Web-based applications. This forces these requirements of various Web-based applications. This forces these
applications to implement their own authentication frameworks by applications to implement their own authentication frameworks by
means like HTML forms, which becomes one of the hurdles against means such as HTML forms, which becomes one of the hurdles against
introducing secure authentication mechanisms handled jointly by introducing secure authentication mechanisms handled jointly by
servers and user-agent. The extended framework fills gaps between servers and user agents. The extended framework fills gaps between
Web application requirements and HTTP authentication provisions to Web application requirements and HTTP authentication provisions to
solve the above problems, while maintaining compatibility with solve the above problems, while maintaining compatibility with
existing Web and non-Web uses of HTTP authentication. existing Web and non-Web uses of HTTP authentication.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering This document is not an Internet Standards Track specification; it is
Task Force (IETF). Note that other groups may also distribute published for examination, experimental implementation, and
working documents as Internet-Drafts. The list of current Internet- evaluation.
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document defines an Experimental Protocol for the Internet
and may be updated, replaced, or obsoleted by other documents at any community. This document is a product of the Internet Engineering
time. It is inappropriate to use Internet-Drafts as reference Task Force (IETF). It represents the consensus of the IETF
material or to cite them other than as "work in progress." community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on March 21, 2017. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8053.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Terms for describing authentication protocol flow . . . . 4 2.1. Terms for Describing Authentication Protocol Flow . . . . 5
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 7 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 8
3. Optional Authentication . . . . . . . . . . . . . . . . . . . 8 3. Optional Authentication . . . . . . . . . . . . . . . . . . . 8
3.1. Note on Optional-WWW-Authenticate and use of 3.1. Note on Optional-WWW-Authenticate and Use of
WWW-Authenticate header with non-401 status . . . . . . . 10 WWW-Authenticate Header with Non-401 Status . . . . . . . 10
4. Authentication-Control header . . . . . . . . . . . . . . . . 11 4. Authentication-Control Header . . . . . . . . . . . . . . . . 11
4.1. Non-ASCII extended header parameters . . . . . . . . . . . 12 4.1. Non-ASCII Extended Header Parameters . . . . . . . . . . 13
4.2. Auth-style parameter . . . . . . . . . . . . . . . . . . . 13 4.2. Auth-Style Parameter . . . . . . . . . . . . . . . . . . 13
4.3. Location-when-unauthenticated parameter . . . . . . . . . 14 4.3. Location-When-Unauthenticated Parameter . . . . . . . . . 14
4.4. No-auth parameter . . . . . . . . . . . . . . . . . . . . 15 4.4. No-Auth Parameter . . . . . . . . . . . . . . . . . . . . 15
4.5. Location-when-logout parameter . . . . . . . . . . . . . . 15 4.5. Location-When-Logout Parameter . . . . . . . . . . . . . 16
4.6. Logout-timeout parameter . . . . . . . . . . . . . . . . . 16 4.6. Logout-Timeout Parameter . . . . . . . . . . . . . . . . 17
4.7. Username parameter . . . . . . . . . . . . . . . . . . . . 17 4.7. Username Parameter . . . . . . . . . . . . . . . . . . . 17
5. Usage examples . . . . . . . . . . . . . . . . . . . . . . . . 18 5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Example 1: a portal site . . . . . . . . . . . . . . . . . 18 5.1. Example 1: A Portal Site . . . . . . . . . . . . . . . . 19
5.1.1. Case 1: a simple application . . . . . . . . . . . . . 19 5.1.1. Case 1: A Simple Application . . . . . . . . . . . . 19
5.1.2. Case 2: specific action required on log-out . . . . . 19 5.1.2. Case 2: Specific Action Required on Logout . . . . . 20
5.1.3. Case 3: specific page displayed before log-in . . . . 19 5.1.3. Case 3: Specific Page Displayed before Login . . . . 20
5.2. Example 2: authenticated user-only sites . . . . . . . . . 20 5.2. Example 2: Authenticated User-Only Sites . . . . . . . . 20
5.3. When to use Cookies . . . . . . . . . . . . . . . . . . . 20 5.3. When to Use Cookies . . . . . . . . . . . . . . . . . . . 21
5.4. Parallel deployment with Form/Cookie authentication . . . 21 5.4. Parallel Deployment with Form/Cookie Authentication . . . 22
6. Methods to extend this protocol . . . . . . . . . . . . . . . 22 6. Methods to Extend This Protocol . . . . . . . . . . . . . . . 23
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
8. Security Considerations . . . . . . . . . . . . . . . . . . . 23 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24
8.1. Security implication of the username parameter . . . . . . 24 8.1. Security Implication of the Username Parameter . . . . . 24
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 25
9.1. Normative References . . . . . . . . . . . . . . . . . . . 24 9.1. Normative References . . . . . . . . . . . . . . . . . . 25
9.2. Informative References . . . . . . . . . . . . . . . . . . 25 9.2. Informative References . . . . . . . . . . . . . . . . . 26
Appendix A. (Informative) Applicability of features for each Appendix A. (Informative) Applicability of Features for Each
messages . . . . . . . . . . . . . . . . . . . . . . 25 Message . . . . . . . . . . . . . . . . . . . . . . 27
Appendix B. (Informative) Draft Change Log . . . . . . . . . . . 26 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27
B.1. Changes in Httpauth WG Revision 09 . . . . . . . . . . . . 26
B.2. Changes in Httpauth WG Revision 08 . . . . . . . . . . . . 26
B.3. Changes in Httpauth WG Revision 07 . . . . . . . . . . . . 26
B.4. Changes in Httpauth WG Revision 06 . . . . . . . . . . . . 26
B.5. Changes in Httpauth WG Revision 05 . . . . . . . . . . . . 26
B.6. Changes in Httpauth WG revision 04 . . . . . . . . . . . . 27
B.7. Changes in Httpauth WG revision 03 . . . . . . . . . . . . 27
B.8. Changes in Httpauth WG revision 02 . . . . . . . . . . . . 27
B.9. Changes in Httpauth WG revision 01 . . . . . . . . . . . . 27
B.10. Changes in Httpauth revision 00 and HttpBis revision 00 . 27
B.11. Changes in revision 02 . . . . . . . . . . . . . . . . . . 27
B.12. Changes in revision 01 . . . . . . . . . . . . . . . . . . 27
B.13. Changes in revision 00 . . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
This document defines several extensions to the current HTTP This document defines several extensions to the current HTTP
authentication framework, to provide functionality comparable with authentication framework, to provide functionality comparable with
current widely-used form-based Web authentication. A majority of the current, widely used, form-based Web authentication. A majority of
recent websites on the Internet use custom application-layer the recent websites on the Internet use custom application-layer
authentication implementations using Web forms. The reasons for authentication implementations using Web forms. The reasons for
these may vary, but many people believe that the current HTTP Basic these may vary, but many people believe that the current HTTP Basic
and Digest authentication methods do not have enough functionality and Digest authentication methods do not have enough functionality
(including good user interfaces) to support most realistic Web-based (including good user interfaces) to support most realistic Web-based
applications. However, such use of form-based Web authentication has applications. However, such use of form-based Web authentication has
several weakness against attacks like phishing, because all behavior several weaknesses against attacks like phishing, because all
of the authentication is controlled from the server-side application. behavior of the authentication is controlled from the server-side
This makes it really hard to implement any cryptographically strong application. This makes it really hard to implement any
authentication mechanisms into Web systems. To overcome this cryptographically strong authentication mechanisms into Web systems.
problem, we need to "modernize" the HTTP authentication framework so To overcome this problem, we need to "modernize" the HTTP
that better client-controlled secure methods can be used with Web authentication framework so that better client-controlled secure
applications. The extensions proposed in this document include: methods can be used with Web applications. The extensions proposed
in this document include:
o optional authentication on HTTP (Section 3), o optional authentication on HTTP (Section 3),
o log out from both server and client side (Section 4), and o log out from both the server and client side (Section 4), and
o finer control for redirection depending on authentication status o finer control for redirection depending on the authentication
(Section 4). status (Section 4)
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
This document distinguishes the terms "client" and "user" in the This document distinguishes the terms "client" and "user" in the
following way: A "client" is an entity understanding and talking HTTP following way: a "client" is an entity understanding and talking HTTP
and the specified authentication protocol, usually computer software; and the specified authentication protocol, usually computer software;
a "user" is a (usually natural) person who wants to access data a "user" is a (usually natural) person who wants to access data
resources using "a client". resources using "a client".
2. Definitions 2. Definitions
2.1. Terms for describing authentication protocol flow 2.1. Terms for Describing Authentication Protocol Flow
HTTP Authentication defined in [RFC7235] can involve several pairs of HTTP Authentication defined in [RFC7235] can involve several pairs of
HTTP requests/responses. Throughout this document, the following HTTP requests/responses. Throughout this document, the following
terms are used to categorize those messages: for requests, terms are used to categorize those messages.
For requests:
1) A non-authenticating request is a request not attempting any 1) A non-authenticating request is a request not attempting any
authentication: a request without any Authorization header field. authentication: a request without any Authorization header field.
2) An authenticating request is the opposite: a request with an 2) An authenticating request is the opposite: a request with an
Authorization header field. Authorization header field.
For responses, For responses:
1) A non-authenticated response is a response which does not involve 1) A non-authenticated response is a response that does not involve
any HTTP authentication. It does not contain any WWW-Authenticate any HTTP authentication. It does not contain any WWW-Authenticate
([RFC7235]) or Authentication-Info header field ([RFC7615]). ([RFC7235]) or Authentication-Info header field ([RFC7615]).
Servers send this response when the requested resource is not Servers send this response when the requested resource is not
protected by an HTTP authentication mechanism. In context of this protected by an HTTP authentication mechanism. In the context of
specification, non-authentication-related negative responses (e.g. this specification, non-authentication-related negative responses
403 and 404) are also considered non-authenticated responses. (e.g., 403 and 404) are also considered non-authenticated
responses.
(See note on successfully-authenticated responses below for some (See the note on successfully authenticated responses below for
ambiguous cases.) some ambiguous cases.)
2) An authentication-initializing response is a response which 2) An authentication-initializing response is a response that
requires or allows clients to start authentication attempts. requires or allows clients to start authentication attempts.
Servers send this response when the requested resource is Servers send this response when the requested resource is
protected by HTTP authentication mechanism, and the request meets protected by an HTTP authentication mechanism, and the request
one of the following cases: meets one of the following cases:
* The request is a non-authenticating request, or * The request is a non-authenticating request, or
* The request contained an authentication trial directed to a * The request contained an authentication trial directed to a
protection space (realm) other than the one the server protection space (realm) other than the one that the server
expected. expected.
The server will specify the protection space for authentication in The server will specify the protection space for authentication in
this response. this response.
Upon receiving this response, the client's behavior is further Upon receiving this response, the client's behavior is further
divided to two possible cases. divided to two possible cases:
* If the client has no prior knowledge on authentication * If the client has no prior knowledge on authentication
credentials (e.g. a user-name and a password) related to the credentials (e.g., a username and a password) related to the
requested protection space, the protocol flow terminates and requested protection space, the protocol flow terminates and
the client will ask the user to provide authentication the client will ask the user to provide authentication
credentials, credentials.
* On the other hand, if client already has enough authentication * On the other hand, if the client already has enough
credentials to the requested protection space, the client will authentication credentials to the requested protection space,
automatically send an authenticating request. Such cases often the client will automatically send an authenticating request.
occur when the client did not know beforehand that the current Such cases often occur when the client does not know beforehand
request-URL requires authentication. that the current request-URL requires authentication.
3) A successfully-authenticated response is a response for an 3) A successfully authenticated response is a response for an
authenticating request meaning that the authentication attempt was authenticating request meaning that the authentication attempt was
granted. (Note: if the authentication scheme used does not use an granted. (Note: if the authentication scheme used does not use an
Authentication-Info header field, it can't be distinguished from a Authentication-Info header field, it can't be distinguished from a
non-authenticated response.) non-authenticated response.)
4) An intermediate authenticating response is a response for an 4) An intermediate authenticating response is a response for an
authenticating request which requires more reaction by the client authenticating request that requires more reaction by the client
software without involving users. Such a response is required software without involving users. Such a response is required
when an authentication scheme requires two or more round-trip when an authentication scheme requires two or more round-trip
messages to perform authentication, or when an authentication messages to perform authentication, or when an authentication
scheme uses some speculative short-cut method (such as uses of scheme uses some speculative short-cut method (such as uses of
cached shared secrets) and it failed. cached shared secrets) and it fails.
5) A negatively-authenticated response is a response for an 5) A negatively authenticated response is a response for an
authenticating request which means that the authentication attempt authenticating request, which means that the authentication
was declined and can not continue without a different set of attempt was declined and cannot continue without a different set
authentication credentials. Clients typically erase memory of the of authentication credentials. Clients typically erase the memory
active credentials and ask the user for other ones. of the active credentials and ask the user for other ones.
Usually the format of these responses are as same as the one for Usually the format of these responses is the same as the one for
authentication-initializing responses. Clients can distinguish authentication-initializing responses. Clients can distinguish
negatively-authenticated responses from authentication- negatively authenticated responses from authentication-
initializing responses by comparing the protection spaces initializing responses by comparing the protection spaces
contained in the request and in the response. contained in the request and in the response.
Figure 1 shows a state diagram of generic HTTP authentication with Figure 1 shows a state diagram of generic HTTP authentication with
the above message categorization. Note that many authentication the above message categorization. Note that many authentication
schemes use only a subset of the transitions described on the schemes use only a subset of the transitions described in the
diagram. Labels in the figure show the abbreviated names of response diagram. Labels in the figure show the abbreviated names of response
types. types.
=========== ----------------- =========== -----------------
NEW REQUEST ( UNAUTHENTICATED ) NEW REQUEST ( UNAUTHENTICATED )
=========== ----------------- =========== -----------------
| ^ non-auth. | ^ non-auth.
v | response v | response
+----------------------+ NO +-------------+ +----------------------+ NO +-------------+
| The requested URI |--------------------------->| send normal | | The requested URI |--------------------------->| send normal |
skipping to change at page 7, line 41 skipping to change at page 7, line 41
| \ \ intermediate +-----------+ | \ \ intermediate +-----------+
| \ -------------------------------->| send | | \ -------------------------------->| send |
| \ | auth-req | | \ | auth-req |
| non-auth. \successful successful +-----------+ | non-auth. \successful successful +-----------+
| response (*2) \ / | ^ | response (*2) \ / | ^
v \ / | | v \ / | |
----------------- \ -------------- / `----' ----------------- \ -------------- / `----'
( UNAUTHENTICATED ) ----->( AUTH-SUCCEED )<---- intermediate ( UNAUTHENTICATED ) ----->( AUTH-SUCCEED )<---- intermediate
----------------- -------------- ----------------- --------------
Figure 1: Generic state diagram for HTTP authentication Figure 1: Generic State Diagram for HTTP Authentication
Note: (*1) For example, "Digest" scheme requires server-provided Notes:
(*1) For example, the "Digest" scheme requires a server-provided
nonce to construct client-side challenges. nonce to construct client-side challenges.
(*2) In "Basic" and some others, this cannot be distinguished from a (*2) In "Basic" and some others, this cannot be distinguished from a
successfully-authenticated response. successfully authenticated response.
2.2. Syntax Notation 2.2. Syntax Notation
This specification uses an extended ABNF syntax defined in [RFC7230] This specification uses an extended ABNF syntax defined in [RFC7230]
and [RFC5234]. The following syntax definitions are quoted from and [RFC5234]. The following syntax definitions are quoted from
[RFC7230] and [RFC7235]: auth-scheme, quoted-string, auth-param, SP, [RFC7230] and [RFC7235]: auth-scheme, quoted-string, auth-param, SP,
BWS, header-field, and challenge. It also uses the convention of BWS, header-field, and challenge. It also uses the convention of
using header field names for specifying the syntax of values for the using header field names for specifying the syntax of values for the
header field. header field.
Additionally, this specification uses the following syntax Additionally, this specification uses the following syntax
definitions as a refinement for token and the right-hand-side of definitions as a refinement for token and the right-hand-side of
auth-param in [RFC7235]. auth-param in [RFC7235].
bare-token = bare-token-lead-char *bare-token-char bare-token = bare-token-lead-char *bare-token-char
skipping to change at page 8, line 21 skipping to change at page 8, line 25
definitions as a refinement for token and the right-hand-side of definitions as a refinement for token and the right-hand-side of
auth-param in [RFC7235]. auth-param in [RFC7235].
bare-token = bare-token-lead-char *bare-token-char bare-token = bare-token-lead-char *bare-token-char
bare-token-lead-char = %x30-39 / %x41-5A / %x61-7A bare-token-lead-char = %x30-39 / %x41-5A / %x61-7A
bare-token-char = %x30-39 / %x41-5A / %x61-7A / "-" / "_" bare-token-char = %x30-39 / %x41-5A / %x61-7A / "-" / "_"
extension-token = "-" bare-token 1*("." bare-token) extension-token = "-" bare-token 1*("." bare-token)
extensive-token = bare-token / extension-token extensive-token = bare-token / extension-token
integer = "0" / (%x31-39 *%x30-39) ; no leading zeros integer = "0" / (%x31-39 *%x30-39) ; no leading zeros
Figure 2: the BNF syntax for common notations Figure 2: The BNF Syntax for Common Notations
Extensive-tokens are used in this protocol where the set of Extensive-tokens are used in this protocol where the set of
acceptable tokens includes private extensions. Any extensions of acceptable tokens includes private extensions. Any extensions of
this protocol MAY use either bare-tokens allocated by IANA (under the this protocol MAY use either bare-tokens allocated by IANA (under the
procedure described in Section 7), or extension-tokens with the procedure described in Section 7), or extension-tokens with the
format "-<token>.<domain-name>", where <domain-name> is a valid format "-<token>.<domain-name>", where <domain-name> is a valid
(sub-)domain name on the Internet owned by the party who defines the (sub-)domain name on the Internet owned by the party who defines the
extension. extension.
3. Optional Authentication 3. Optional Authentication
skipping to change at page 8, line 45 skipping to change at page 9, line 6
authentication mechanism. authentication mechanism.
In several Web applications, users can access the same contents as In several Web applications, users can access the same contents as
both a guest user and an authenticated user. In most Web both a guest user and an authenticated user. In most Web
applications, this functionality is implemented using HTTP cookies applications, this functionality is implemented using HTTP cookies
[RFC6265] and custom form-based authentication. The new [RFC6265] and custom form-based authentication. The new
authentication method using this message will provide a replacement authentication method using this message will provide a replacement
for these authentication systems. for these authentication systems.
Servers MAY send HTTP non-interim responses containing the Servers MAY send HTTP non-interim responses containing the
Optional-WWW-Authenticate header as a replacement of a 401 response Optional-WWW-Authenticate header as a replacement for a 401 response
when it is authentication-initializing. The when it is authentication-initializing. The
Optional-WWW-Authenticate header MUST NOT be sent on 401 responses Optional-WWW-Authenticate header MUST NOT be sent on 401 responses
(i.e. a usual WWW-Authenticate header MUST be used on 401 responses). (i.e., a usual WWW-Authenticate header MUST be used on 401
responses).
Optional-WWW-Authenticate = 1#challenge Optional-WWW-Authenticate = 1#challenge
Figure 3: BNF syntax for Optional-WWW-Authenticate header
Figure 3: BNF Syntax for Optional-WWW-Authenticate Header
Example: Example:
HTTP/1.1 200 OK HTTP/1.1 200 OK
Optional-WWW-Authenticate: Basic realm="xxxx" Optional-WWW-Authenticate: Basic realm="xxxx"
The challenges contained in the Optional-WWW-Authenticate header are The challenges contained in the Optional-WWW-Authenticate header are
the same as those for a 401 responses corresponding to the same the same as those for a 401 response corresponding to the same
request. For authentication-related matters, an optional request. For authentication-related matters, an optional
authentication request will have the same meaning as a 401 message authentication request will have the same meaning as a 401 message
with a corresponding WWW-Authenticate header (as an authentication- with a corresponding WWW-Authenticate header (as an authentication-
initializing response). (The behavior for other matters MAY be initializing response). (The behavior for other matters MAY be
different between the optional authentication and 401 messages. For different between the optional authentication and 401 messages. For
example, clients MAY choose to cache the 200 messages with example, clients MAY choose to cache the 200 messages with the
Optional-WWW-Authenticate header field but not the 401 messages by Optional-WWW-Authenticate header field but not the 401 messages by
default.) default.)
A response with an Optional-WWW-Authenticate header SHOULD be A response with an Optional-WWW-Authenticate header SHOULD be
returned from the server only when the request is either non- returned from the server only when the request is either non-
authenticated or authenticating to a wrong (not the server's authenticated or authenticating to a wrong (not the server's
expected) protection space. If a response is either an intermediate expected) protection space. If a response is either an intermediate
or a negative response to a client's authentication attempt, the or a negative response to a client's authentication attempt, the
server MUST respond with a 401 status response with a server MUST respond with a 401 status response with a
WWW-Authenticate header instead. Failure to comply with this rule WWW-Authenticate header instead. Failure to comply with this rule
will render clients unable to distinguish authentication successes will render clients unable to distinguish between authentication
and failures. successes and failures.
The server is NOT RECOMMENDED to include an Optional-WWW-Authenticate The server is NOT RECOMMENDED to include an Optional-WWW-Authenticate
header in a positive response when a client's authentication attempt header in a positive response when a client's authentication attempt
succeeds. succeeds.
Whenever an authentication scheme supports servers sending some Whenever an authentication scheme supports servers sending some
parameter which gives a hint of the URL space for the corresponding parameter that gives a hint about the URL space for the corresponding
protection space for the same realm (e.g. "path" or "domain"), protection space for the same realm (e.g., "path" or "domain"),
servers requesting non-mandatory authentication SHOULD send such servers requesting non-mandatory authentication SHOULD send such a
parameter with the response. Clients supporting non-mandatory parameter with the response. Clients supporting non-mandatory
authentication MUST recognize the parameter, and MUST send a request authentication MUST recognize the parameter and MUST send a request
with an appropriate authentication credential in an Authorization with an appropriate authentication credential in an Authorization
header for any URI inside the specified paths. header for any URI inside the specified paths.
Implementations are not required to support this header for all of Implementations are not required to support this header for all of
their supported authentication schemes (i.e., they may choose to their supported authentication schemes (i.e., they may choose to
implement it only for a subset of their supported schemes). New implement it only for a subset of their supported schemes). New
authentication schemes can require support of the optional authentication schemes can require support of the optional
authentication as a prerequisite, though. authentication as a prerequisite, though.
3.1. Note on Optional-WWW-Authenticate and use of WWW-Authenticate 3.1. Note on Optional-WWW-Authenticate and Use of WWW-Authenticate
header with non-401 status Header with Non-401 Status
In the current specification of HTTP/1.1, it is clarified that the In the current specification of HTTP/1.1, it is clarified that the
WWW-Authenticate header can be used with messages with status codes WWW-Authenticate header can be used with messages with status codes
other than 401 (Authentication Required). Especially, the use of other than 401 (Authentication Required). In particular, the use of
WWW-Authenticate header with the 200 status messages implies a very the WWW-Authenticate header with the 200 status messages implies a
similar meaning to the above-defined Optional-WWW-Authenticate very similar meaning to the above-defined Optional-WWW-Authenticate
header. header.
The design of Optional-WWW-Authenticate header expects that the use The design of Optional-WWW-Authenticate header expects that the use
of a new header guarantees that clients which are unaware of this of a new header guarantees that clients that are unaware of this
extension will ignore the header, and that Web developers can rely on extension will ignore the header, and that Web developers can rely on
that behavior to implement a secondary fallback method of that behavior to implement a secondary fallback method of
authentication. Several behavioral requirements written in the above authentication. Several behavioral requirements written in the above
section also assumes this property, and defines a necessary section also assume this property and define a necessary
functionality to implement an HTTP optional authentication reliably functionality to implement an optional authentication reliably and
and consistently. consistently.
On the other hand, some experiments and discussions on the IETF On the other hand, some experiments and discussions on the IETF
mailing list revealed that most of (but not necessarily all of) the mailing list revealed that most of (but not necessarily all of) the
existing HTTP clients, at the time of writing, just ignore the WWW- existing HTTP clients, at the time of writing, just ignore the WWW-
Authenticate headers in non-401 messages, giving the similar behavior Authenticate headers in non-401 messages, giving similar behavior
with the Optional-WWW-Authenticate. However, every corner case of with the Optional-WWW-Authenticate. However, every corner case of
behavior was not fully tested, nor well-defined in the existing behavior was not fully tested or well-defined in the existing
specifications. specifications.
Considering these situations, the authors of this document chose to Considering these situations, the authors of this document chose to
use a new header for a new feature "experiment". This is to avoid use a new header for a new feature "experiment". This is to avoid
defining every corner-case behavior for the existing standard WWW- defining every corner-case behavior for the existing standard WWW-
Authentication header in this experimental document, which could be Authentication header in this experimental document, which could be
considered by some implementers as an "incompatible changes to considered by some implementers as an incompatible changes to
existing specification". existing specification.
Experimentally, the authors propose implementers of the standard Experimentally, the authors propose that implementers of the standard
HTTP/1.1 specification (especially implementers of this extension) to HTTP/1.1 specification (especially implementers of this extension)
implement undefined (implementation-dependant) detailed handling of implement undefined (implementation-dependent) detailed handling of
WWW-Authenticate header with non-401 status messages as similar as the WWW-Authenticate header with non-401 status messages similar as
those defined above for the Optional-WWW-Authenticate header. For those defined above for the Optional-WWW-Authenticate header. For
example, we propose for servers to return 401 status for failed example, we propose that servers return the 401 status for failed
authentication attempts, even when the unauthenticated request to the authentication attempts, even when the unauthenticated request to the
same resource will result in the 200 status. This can realize how same resource will result in the 200 status. This can determine how
(whether) we can implement non-mandatory authentication using the (whether) non-mandatory authentication using the standard header
standard header fields and status codes. If this experiment is fields and status codes can be implemented. If this experiment is
successful, the future revision of this experimental document may successful, a future revision of this experimental document may
"bless" and recommend the use of standard WWW-Authenticate header, "bless" and recommend the use of a standard WWW-Authenticate header,
with some "standard-level" requirements on some corner case behavior. with some stricter requirements on some corner-case behavior.
4. Authentication-Control header 4. Authentication-Control Header
Authentication-Control = 1#auth-control-entry Authentication-Control = 1#auth-control-entry
auth-control-entry = auth-scheme 1*SP 1#auth-control-param auth-control-entry = auth-scheme 1*SP 1#auth-control-param
auth-control-param = extensive-token BWS "=" BWS token auth-control-param = extensive-token BWS "=" BWS token
/ extensive-token "*" BWS "=" BWS ext-value / extensive-token "*" BWS "=" BWS ext-value
ext-value = <see RFC 5987, Section 3.2> ext-value = <see RFC 5987, Section 3.2>
Figure 4: the BNF syntax for the Authentication-Control header Figure 4: The BNF Syntax for the Authentication-Control Header
The Authentication-Control header provides a more precise control of The Authentication-Control header provides more precise control of
the client behavior for Web applications using an HTTP authentication the client behavior for Web applications using an HTTP authentication
protocol. This header is supposed to be generated in the application protocol. This header is supposed to be generated in the application
layer, as opposed to WWW-Authenticate headers which will usually be layer, as opposed to the WWW-Authenticate headers, which will usually
generated by the Web servers. be generated by the Web servers.
Clients MAY freely choose any subset of these parameters to be Clients MAY freely choose any subset of these parameters to be
supported. Also, these are not required to support any of these supported. Also, these may choose to support any of the parameters
parameters for all of their supported authentication schemes. for only a subset of their supported authentication schemes.
However, authentication schemes can require/recommend support for However, authentication schemes can require/recommend support for
some of these parameters as a prerequisite. some of these parameters as a prerequisite.
The Authentication-Control header contains one or more The Authentication-Control header contains one or more
"authentication control entries" each of which corresponds to a "authentication control entries", each of which corresponds to a
single realm for a specific authentication scheme. If the single realm for a specific authentication scheme. If the
auth-scheme specified for an entry supports the HTTP "realm" feature, auth-scheme specified for an entry supports the HTTP "realm" feature,
that entry MUST contain the "realm" parameter. If not, the entry that entry MUST contain the "realm" parameter. If not, the entry
MUST NOT contain the "realm" parameter. MUST NOT contain the "realm" parameter.
Among the multiple entries in the header, the relevant entries in the Among the multiple entries in the header, the relevant entries in the
header are those corresponding to an auth-scheme and a realm (if header are those corresponding to an auth-scheme and a realm (if any)
any), for which "the authentication process is being performed, or for which "the authentication process is being performed or going to
going to be performed". In more detail, be performed". In more detail:
(1) If the response is either an authentication-initializing (1) If the response is either an authentication-initializing
response or a negatively-authenticated response, there can be response or a negatively authenticated response, there can be
multiple challenges in the WWW-Authenticate header (or the multiple challenges in the WWW-Authenticate header (or the
Optional-WWW-Authenticate header defined in this extension), Optional-WWW-Authenticate header defined in this extension),
each of which corresponds to a different scheme and realm. In each of which corresponds to a different scheme and realm. In
this case, the client has a choice on the scheme and realm they this case, the client has a choice about the scheme and realm
will use to authenticate. Only the entry in the they will use to authenticate. Only the entry in the
Authentication-Control header corresponding to that scheme and Authentication-Control header corresponding to that scheme and
realm are relevant. realm are relevant.
(2) If the response is either an intermediate authenticating (2) If the response is either an intermediate authenticating
response or a successfully-authenticated response, the scheme response or a successfully authenticated response, the scheme
and realm given in the Authorization header of the HTTP request and realm given in the Authorization header of the HTTP request
will determine the currently-ongoing authentication process. will determine the currently ongoing authentication process.
Only the entry corresponding to that scheme and realm are Only the entry corresponding to that scheme and realm are
relevant. relevant.
The server MAY send an Authentication-Control header containing non- The server MAY send an Authentication-Control header containing non-
relevant entries. The client MUST ignore all non-relevant entries it relevant entries. The client MUST ignore all non-relevant entries it
received. received.
Each entry contains one or more parameters, each of which is a name- Every entry contains one or more parameters, each of which is a name-
value pair. The name of each parameter MUST be an extensive-token. value pair. The name of each parameter MUST be an extensive-token.
Clients MUST ignore any unknown parameters contained in this header. Clients MUST ignore any unknown parameters contained in this header.
The entries for the same auth-scheme and the realm MUST NOT contain The entries for the same auth-scheme and the realm MUST NOT contain
duplicated parameters for the same name. Clients MAY either take any duplicated parameters for the same name. Clients MAY either take any
one of those duplicated entries or ignore all of them. one of those duplicated entries or ignore all of them.
The type of parameter value depends on the parameter name as defined The type of parameter value depends on the parameter name as defined
in the following subsections. Regardless of the type, however, the in the following subsections. Regardless of the type, however, the
recipients MUST accept both quoted and unquoted representations of recipients MUST accept both quoted and unquoted representations of
values as defined in HTTP. If the parameter is defined to have a values as defined in HTTP. If the parameter is defined to have a
string value, implementations MUST send any value outside of the string value, implementations MUST send any value outside of the
"token" ABNF syntax in either a quoted form or an an ext-value form "token" ABNF syntax in either a quoted form or an ext-value form (see
(see Section 4.1). If the parameter is defined as a token (or Section 4.1). If the parameter is defined as a token (or similar) or
similar) or an integer, the value SHOULD follow the corresponding an integer, the value SHOULD follow the corresponding ABNF syntax
ABNF syntax after possible unquoting of the quoted-string value (as after possible unquoting of the quoted-string value (as defined in
defined in HTTP), and MUST be sent in a plain (not an ext-value) HTTP) and MUST be sent in a plain (not an ext-value) form. (Note:
form. (Note: the rest of this document will show all string-value the rest of this document will show all string-value parameters in
parameters in quoted forms, and others in unquoted forms.) quoted forms, and it will show others in unquoted forms.)
Any parameters contained in this header MAY be ignored by clients. Any parameters contained in this header MAY be ignored by clients.
Also, even when a client accepts this header, users are able to Also, even when a client accepts this header, users are able to
circumvent the semantics of this header. Therefore, if this header circumvent the semantics of this header. Therefore, if this header
is used for security purposes, its use MUST be limited to providing is used for security purposes, its use MUST be limited to providing
some non-fundamental additional security measures valuable for end- some non-fundamental additional security measures valuable for end-
users (such as client-side log-out for protecting against console users (such as client-side logout for protection against console
takeover). Server-side applications MUST NOT rely on the use of this takeover). Server-side applications MUST NOT rely on the use of this
header for protecting server-side resources. header for protecting server-side resources.
Note: The header syntax allows servers to specify Authentication- Note: The header syntax allows servers to specify Authentication-
Control for multiple authentication schemes, either as multiple Control for multiple authentication schemes, either as multiple
occurrences of this header or as a combined single header (see occurrences of this header or as a combined single header (see
Section 3.2.2 of [RFC7230] for rationale). The same care as for Section 3.2.2 of [RFC7230] for rationale). The same care as for
parsing multiple authentication challenges needs to be taken. parsing multiple authentication challenges needs to be taken.
4.1. Non-ASCII extended header parameters 4.1. Non-ASCII Extended Header Parameters
Parameters contained in the Authentication-Control header MAY be Parameters contained in the Authentication-Control header MAY be
extended to non-ASCII values using the framework described in extended to non-ASCII values using the framework described in
[RFC5987]. All servers and clients MUST be capable of receiving and [RFC5987]. All servers and clients MUST be capable of receiving and
sending values encoded in [RFC5987] syntax. sending values encoded in [RFC5987] syntax.
If a value to be sent contains only ASCII characters, the field MUST If a value to be sent contains only ASCII characters, the field MUST
be sent using plain RFC 7235 syntax. The syntax as extended by ext- be sent using plain RFC 7235 syntax. The syntax as extended by
value MUST NOT be used in this case. ext-value MUST NOT be used in this case.
If a value (except the "realm" header) contains one or more non-ASCII If a value (except the "realm" header) contains one or more non-ASCII
characters, the parameter SHOULD be sent using the ext-value syntax characters, the parameter SHOULD be sent using the ext-value syntax
defined in Section 3.2 of [RFC5987]. Such a parameter MUST have a defined in Section 3.2 of [RFC5987]. Such a parameter MUST have a
charset value of "UTF-8", and the language value MUST always be charset value of "UTF-8", and the language value MUST always be
omitted (have an empty value). The same parameter MUST NOT be sent omitted (have an empty value). The same parameter MUST NOT be sent
more than once, regardless of the used syntax. more than once, regardless of the syntax used.
For example, a parameter "username" with value "Renee of France" For example, a parameter "username" with the value "Renee of France"
SHOULD be sent as < username="Renee of France" >. If the value is SHOULD be sent as < username="Renee of France" >. If the value is
"Ren<e acute>e of France", it SHOULD be sent as "Ren<e acute>e of France", it SHOULD be sent as
< username*=UTF-8''Ren%C3%89e%20of%20France > instead. < username*=UTF-8''Ren%C3%89e%20of%20France > instead.
Interoperability note: [RFC7235], Section 2.2, defines the "realm" Interoperability note: [RFC7235], Section 2.2, defines the "realm"
authentication parameter which cannot be replaced by the "realm*" authentication parameter that cannot be replaced by the "realm*"
extend parameter. It means that the use of non-ASCII values for an extend parameter. This means that the use of non-ASCII values for an
authentication realm is not the defined behavior in HTTP. authentication realm is not the defined behavior in HTTP.
Unfortunately, some people currently use a non-ASCII realm parameter Unfortunately, some people currently use a non-ASCII realm parameter
in reality, but even its encoding scheme is not well-defined. in reality, but even its encoding scheme is not well defined.
Given this background, this document does not specify how to handle a Given this background, this document does not specify how to handle a
non-ASCII "realm" parameter in the extended header fields. If non-ASCII "realm" parameter in the extended header fields. If
needed, the authors propose to use a non-extended "realm" parameter needed, the authors propose using a non-extended "realm" parameter
form, with a wish for maximum interoperability. form, with a wish for maximum interoperability.
4.2. Auth-style parameter 4.2. Auth-Style Parameter
Example: Example:
Authentication-Control: Digest realm="protected space", Authentication-Control: Digest realm="protected space",
auth-style=modal auth-style=modal
The parameter "auth-style" specifies the server's preference for user The parameter "auth-style" specifies the server's preference for user
interface behavior for user authentication. This parameter can be interface behavior for user authentication. This parameter can be
included in any kind of response, however, it is only meaningful for included in any kind of response; however, it is only meaningful for
either authentication-initializing or negatively-authenticated either authentication-initializing or negatively authenticated
responses. The value of this parameter MUST be one of the bare- responses. The value of this parameter MUST be one of the bare-
tokens "modal" or "non-modal". When the Optional-WWW-Authenticate tokens, "modal" or "non-modal". When the Optional-WWW-Authenticate
header is used, the value of this parameter MUST be disregarded and header is used, the value of this parameter MUST be disregarded and
the value "non-modal" is implied. the value "non-modal" is implied.
The value "modal" means that the server thinks the content of the The value "modal" means that the server thinks the content of the
response (body and other content-related headers) is valuable only response (body and other content-related headers) is valuable only
for users refusing the authentication request. The clients are for users refusing the authentication request. The clients are
expected to ask the user for a password before processing the expected to ask the user for a password before processing the
content. This behavior is common for most of the current content. This behavior is common for most of the current
implementations of Basic and Digest authentication schemes. implementations of Basic and Digest authentication schemes.
The value "non-modal" means that the server thinks the content of the The value "non-modal" means that the server thinks that the content
response (body and other content-related headers) is valuable for of the response (body and other content-related headers) is valuable
users before processing an authentication request. The clients are for users before processing an authentication request. The clients
expected to first process the content and then provide users the are expected to first process the content and then provide users with
opportunity to perform authentication. the opportunity to perform authentication.
The default behavior for clients is implementation-dependent, and it The default behavior for clients is implementation dependent, and it
may also depend on authentication schemes. The proposed default may also depend on authentication schemes. The proposed default
behavior is "modal" for all authentication schemes unless otherwise behavior is "modal" for all authentication schemes unless otherwise
specified. specified.
The above two different methods of authentication possibly introduce The above two different methods of authentication possibly introduce
a observable difference of semantics when the response contains an observable difference of semantics when the response contains
state-changing side effects; for example, it can affect how Cookie state-changing side effects; for example, it can affect how Cookie
headers [RFC6265] in 401 responses are processed. However, the headers [RFC6265] in 401 responses are processed. However, the
server applications SHOULD NOT depend on existence of such side server applications SHOULD NOT depend on the existence of such side
effects. effects.
4.3. Location-when-unauthenticated parameter 4.3. Location-When-Unauthenticated Parameter
Example: Example:
Authentication-Control: Mutual realm="auth-space-1", Authentication-Control: Mutual realm="auth-space-1",
location-when-unauthenticated="http://www.example.com/login.html" location-when-unauthenticated="http://www.example.com/login.html"
The parameter "location-when-unauthenticated" specifies a location The parameter "location-when-unauthenticated" specifies a location to
where any unauthenticated clients should be redirected to. This which any unauthenticated clients should be redirected. This header
header can be used, for example, when there is a central login page can be used, for example, when there is a central login page for the
for the entire Web application. The value of this parameter is a entire Web application. The value of this parameter is a string that
string that contains an URL location. If a received URL is not contains a URL location. If a received URL is not absolute, the
absolute, the clients SHOULD consider it a relative URL from the clients SHOULD consider it a relative URL from the current location.
current location.
This parameter MAY be used with a 401 response for an authentication- This parameter MAY be used with a 401 response for an authentication-
initializing response. It can also be contained, although this is initializing response. It can also be contained, although this is
NOT RECOMMENDED, in a positive response with an NOT RECOMMENDED, in a positive response with an
Optional-WWW-Authenticate header. The clients MUST ignore this Optional-WWW-Authenticate header. The clients MUST ignore this
parameter when a response is either successfully-authenticated or parameter when a response is either successfully authenticated or
intermediately-authenticated. intermediately authenticated.
When a client receives an authentication-initiating response with When a client receives an authentication-initiating response with
this parameter, and if the client has to ask users for authentication this parameter, and if the client has to ask users for authentication
credentials, the client will treat the entire response as if it were credentials, the client will treat the entire response as if it were
a 303 "See Other" response with a Location header that contains the a 303 "See Other" response with a Location header that contains the
value of this parameter (i.e., client will be redirected to the value of this parameter (i.e., the client will be redirected to the
specified location with a GET request). Unlike a normal 303 specified location with a GET request). Unlike a normal 303
response, if the client can process authentication without the user's response, if the client can process authentication without the user's
interaction, this parameter MUST be ignored. interaction, this parameter MUST be ignored.
4.4. No-auth parameter 4.4. No-Auth Parameter
Example: Example:
Authentication-Control: Basic realm="entrance", no-auth=true Authentication-Control: Basic realm="entrance", no-auth=true
The parameter "no-auth" is a variant of the The parameter "no-auth" is a variant of the
location-when-unauthenticated parameter; it specifies that new location-when-unauthenticated parameter; it specifies that new
authentication attempts are not to be performed on this location in authentication attempts are not to be performed on this location in
order to improve the user experience, without specifying the order to improve the user experience, without specifying the
redirection on the HTTP level. This header can be used, for example, redirection on the HTTP level. This header can be used, for example,
when there is a central login page for the entire Web application, when there is a central login page for the entire Web application and
and when an explicit user interaction with the Web content is desired when an explicit user interaction with the Web content is desired
before authentication. The value of this parameter MUST be a token before authentication. The value of this parameter MUST be a token
"true". If the value is incorrect, client MAY ignore this parameter. "true". If the value is incorrect, the client MAY ignore this
parameter.
This parameter MAY be used with authentication-initiating responses. This parameter MAY be used with authentication-initiating responses.
It can also be contained, although this is NOT RECOMMENDED, in a It can also be contained, although this is NOT RECOMMENDED, in a
positive response with an Optional-WWW-Authenticate header. The positive response with an Optional-WWW-Authenticate header. The
clients MUST ignore this parameter when a response is either clients MUST ignore this parameter when a response is either
successfully-authenticated or intermediately-authenticated. successfully authenticated or intermediately authenticated.
When a client receives an authentication-initiating response with When a client receives an authentication-initiating response with
this parameter, if the client has to ask users for authentication this parameter, if the client has to ask users for authentication
credentials, the client will ignore the WWW-Authenticate header credentials, the client will ignore the WWW-Authenticate header
contained in the response and treat the whole response as a normal contained in the response and treat the whole response as a normal
negative 4xx-class response instead of giving the user an opportunity negative 4xx-class response instead of giving the user an opportunity
to start authentication. If the client can process authentication to start authentication. If the client can process authentication
without the user's interaction, this parameter MUST be ignored. without the user's interaction, this parameter MUST be ignored.
Using this parameter along with location-when-unauthenticated Using this parameter along with the location-when-unauthenticated
parameter is meaningless. If both were supplied, clients SHOULD parameter is meaningless. If both were supplied, clients SHOULD
ignore the location-when-unauthenticated parameter. ignore the location-when-unauthenticated parameter.
This parameter SHOULD NOT be used as a security measure to prevent This parameter SHOULD NOT be used as a security measure to prevent
authentication attempts, as it is easily circumvented by users. This authentication attempts, as it is easily circumvented by users. This
parameter SHOULD be used solely for improving user experience of Web parameter SHOULD be used solely for improving the user experience of
applications. Web applications.
4.5. Location-when-logout parameter 4.5. Location-When-Logout Parameter
Example: Example:
Authentication-Control: Digest realm="protected space", Authentication-Control: Digest realm="protected space",
location-when-logout="http://www.example.com/byebye.html" location-when-logout="http://www.example.com/byebye.html"
The parameter "location-when-logout" specifies a location where the The parameter "location-when-logout" specifies a location where the
client is to be redirected when the user explicitly requests a client is to be redirected when the user explicitly requests a
logout. The value of this parameter MUST be a string that contains logout. The value of this parameter MUST be a string that contains a
an URL location. If a given URL is not absolute, the clients MUST URL location. If a given URL is not absolute, the clients MUST
consider it a relative URL from the current location. consider it a relative URL from the current location.
This parameter MAY be used with successfully-authenticated responses. This parameter MAY be used with successfully authenticated responses.
If this parameter is contained in other kinds of responses, the If this parameter is contained in other kinds of responses, the
clients MUST ignore this parameter. clients MUST ignore this parameter.
When the user tells the client to terminate the current When the user tells the client to terminate the current
authentication period, if the client currently displays a page authentication period, if the client currently displays a page
supplied by a response with this parameter, the client will supplied by a response with this parameter, the client will
automatically change current location to the location specified in automatically change the current location to the location specified
this parameter, using a new GET request, as if it has received a 303 in this parameter using a new GET request, as if it has received a
response. Any operations related to logging-out (e.g. erasing 303 response. Any operations related to logout (e.g., erasing
memories of user name, authentication credential and all related one- memories of username, authentication credential, and all related one-
time credentials such as nonce or keys) SHOULD occur before time credentials such as nonce or keys) SHOULD occur before
processing a page transition. processing a page transition.
When the user requests the client for the termination of an When the user requests the client for the termination of an
authentication period, if the client supports this parameter but the authentication period, if the client supports this parameter but the
server response does not contain this parameter, the client's server response does not contain this parameter, the client's
RECOMMENDED behavior is as follows: if the request corresponding to RECOMMENDED behavior is as follows: if the request corresponding to
the current content was GET method, reload the page without the the current content was the GET method, reload the page without the
authentication credential. Otherwise, keep the current content as-is authentication credential. Otherwise, keep the current content as-is
and simply forget the authentication status. The client SHOULD NOT and simply forget the authentication status. The client SHOULD NOT
replay a non-idempotent request without the user's explicit approval. replay a non-idempotent request without the user's explicit approval.
Web applications are encouraged to send this parameter with an Web applications are encouraged to send this parameter with an
appropriate value for any responses (except those with redirection appropriate value for any responses (except those with redirection
(3XX) statuses) for non-GET requests. (3XX) statuses) for non-GET requests.
See Section 5 for some examples for possible deployment of this See Section 5 for some examples for possible deployment of this
parameter. parameter.
4.6. Logout-timeout parameter 4.6. Logout-Timeout Parameter
Example: Example:
Authentication-Control: Basic realm="entrance", logout-timeout=300 Authentication-Control: Basic realm="entrance", logout-timeout=300
The parameter "logout-timeout", when contained in a successfully- The parameter "logout-timeout", when contained in a successfully
authenticated response, means that any authentication credentials and authenticated response, means that any authentication credentials and
state related to the current protection space are to be discarded if state related to the current protection space are to be discarded if
a time specified in this header (in seconds) has passed since the the time specified in this header (in seconds) has passed since the
time this header was received. The value MUST be an integer. As a time this header was received. The value MUST be an integer. As a
special case, the value 0 means that the server is logging the client special case, the value 0 means that the server is logging the client
out immediately from the current authentication space and that the out immediately from the current authentication space and that the
client is now returns to unauthenticated state. This does not, client is now returned to the unauthenticated state. This does not,
however, mean that the long-term memories for the passwords and however, mean that the long-term memories for the passwords and
passwords-related details (such as password reminders and auto fill- passwords-related details (such as password reminders and auto fill-
ins) should be removed. If a new timeout value is received for the ins) should be removed. If a new timeout value is received for the
same authentication space, it cancels the previous timeout and sets a same authentication space, it cancels the previous timeout and sets a
new timeout. new timeout.
4.7. Username parameter 4.7. Username Parameter
Example: Example:
Authentication-Control: Basic realm="configuration", username="admin" Authentication-Control: Basic realm="configuration", username="admin"
The parameter "username" tells that the only "user name" to be The parameter "username" tells us that the only "username" to be
accepted by the server is the value given in this parameter. accepted by the server is the value given in this parameter.
This parameter is particularly useful, for example, for routers and This parameter is particularly useful, for example, for routers and
other network appliances with a Web configuration interface. Many of other network appliances with a Web configuration interface. Many of
those use a HTTP Basic authentication with one predefined user name, those use an HTTP Basic authentication with one predefined username,
with many varieties such as "admin", "root", "user" etc. In current with many varieties such as "admin", "root", "user", etc. In the
situation, users have almost no hint about the valid user name upon current situation, users have almost no hint about the valid username
the authentication request. Some shows the valid value in a "realm" upon the authentication request. Some show the valid value in a
string, some in the 401-status response page, shown _after_ the user "realm" string, some in the 401-status response page, shown _after_
giving up the authentication and cancelled the authentication dialog. the user gave up the authentication and canceled the authentication
If this parameter is given, the client Web browser can auto-fill the dialog. If this parameter is given, the client Web browser can auto-
user-name field in the authentication dialog before the users attempt fill the username field in the authentication dialog before the users
to authenticate themselves. attempt to authenticate themselves.
This parameter MAY be used with authentication-initiating responses This parameter MAY be used with authentication-initiating responses
or negatively-authenticated responses requiring another attempt of or negatively authenticated responses requiring another attempt at
authentication. The clients MUST ignore this parameter when a authentication. The clients MUST ignore this parameter when a
response is either successfully-authenticated or intermediately- response is either successfully authenticated or intermediately
authenticated. authenticated.
If the authentication scheme to be used has a syntax limitation on If the authentication scheme to be used has a syntax limitation on
the allowed user names (e.g. Basic and Digest do not allow colons in the allowed usernames (e.g., Basic and Digest do not allow colons in
user names), the specified value MUST follow that limitation. usernames); the specified value MUST follow that limitation. Clients
Clients SHOULD ignore any values which do not conform to such SHOULD ignore any values that do not conform to such limitations.
limitations.
Also, if the used authentication scheme requires a specific style of Also, if the used authentication scheme requires a specific style of
text preparation for the user name (e.g., PRECIS [RFC7564] string text preparation for the username (e.g., PRECIS [RFC7564] string
preparation or Unicode normalization), the server SHOULD send the preparation or Unicode normalization), the server SHOULD send the
values satisfying such requirements (so that clients can use the values satisfying such requirements (so that clients can use the
given user name as is). given username as is).
Clients MAY still send any authentication requests with other user Clients MAY still send any authentication requests with other
names, possibly in vain. Clients are not required (also not usernames, possibly in vain. Clients are not required (also not
forbidden) to give users opportunities for supplying a user name forbidden) to give users opportunities for supplying a username
different from the server-specified one. Servers are also not different from the server-specified one. Servers are also not
strictly required to reject user names other than specified, but strictly required to reject usernames other than specified, but doing
doing so will usually give bad user experiences and may confuse users so will usually result in bad user experiences and may confuse users
and clients. and clients.
Although this parameter is useful in a specific class of use cases, Although this parameter is useful in a specific class of use cases,
using it in a general use cases has many security implications and using it in a general use case has many security implications and
possible pit-falls. Please consult Section 8.1 before deciding to possible pitfalls. Please consult Section 8.1 before deciding to use
use this parameter. this parameter.
5. Usage examples 5. Usage Examples
This section shows some examples for applying this extension to This section shows some examples for applying this extension to
typical websites which are using Forms and cookies for managing typical websites that use forms and cookies for managing
authentication and authorization. The content of this section is not authentication and authorization. The content of this section is not
normative and for illustrative purposes only. normative and is for illustrative purposes only.
In these examples, we assume that there are two kinds of clients (Web In these examples, we assume that there are two kinds of clients (Web
browsers). One kind of these implements all features described in browsers). One kind of these implements all features described in
the previous sections. We also assume that browsers will have a user the previous sections. We also assume that browsers will have a user
interface which allows users to deactivate (log-out from) current interface that allows users to deactivate (log out from) current
authentication sessions. The other kind are the "existing" authentication sessions. The other kind are the "existing"
implementations which do not support any of these features. implementations that do not support any of these features.
When not explicitly specified, all settings described below are to be When not explicitly specified, all settings described below are to be
applied with Authentication-Control headers, and these can be sent to applied with Authentication-Control headers, and these can be sent to
clients regardless of the authentication status (these will be clients regardless of the authentication status (these will be
silently ignored whenever not effective). silently ignored whenever not effective).
5.1. Example 1: a portal site 5.1. Example 1: A Portal Site
This subsection provides an example application for a site whose This subsection provides an example application for a site whose
structure is somewhat similar to conventional portal sites. In structure is somewhat similar to conventional portal sites. In
particular, most web pages are available for guest (unauthenticated) particular, most Web pages are available for guest (unauthenticated)
users, and if authentication is performed, the content of these pages users, and, if authentication is performed, the content of these
is customized for each user. We assume the site has the following pages is customized for each user. We assume that the site has the
kinds of pages currently: following kinds of pages currently:
o Content pages. o Content pages
o Pages/mechanism for performing authentication: o Pages/mechanism for performing authentication:
* There is one page which asks a user name and a password using a * There is one page that asks for a username and a password using
HTML POST form. a HTML POST form.
* After the authentication attempt, the user will be redirected * After the authentication attempt, the user will be redirected
to either the page which is previously displayed before the to either the page that was previously displayed before the
authentication, or some specific page. authentication or some specific page.
o A de-authentication (log-out) page. o A de-authentication (logout) page.
5.1.1. Case 1: a simple application 5.1.1. Case 1: A Simple Application
When such a site does not require specific actions upon log-in and When such a site does not require specific actions upon login and
log-out, the following simple settings can be used. logout, the following simple settings can be used:
o Set up an optional authentication to all pages available to o Set up an optional authentication to all pages available to
guests. Set up an Authentication-Control header with "auth- guests. Set up an Authentication-Control header with the "auth-
style=non-modal" setting. style=non-modal" setting.
o If there are pages only available to authenticated users, set up a o If there are pages only available to authenticated users, set up a
mandatory authentication with "auth-style=non-modal" setting. mandatory authentication with the "auth-style=non-modal" setting.
o No specific pages for authentication are needed. It will be o No specific pages for authentication are needed. It will be
performed automatically, directed by the above setting. performed automatically, directed by the above setting.
o A de-authentication page is also not needed. If the site has one, o A de-authentication page is also not needed. If the site has one,
put "logout-timeout=0" there. put "logout-timeout=0" there.
o For all pages for POST requests, it is advisable to have o For all pages for POST requests, it is advisable to have a
"location-when-logout=<some page>". "location-when-logout=<some page>".
5.1.2. Case 2: specific action required on log-out 5.1.2. Case 2: Specific Action Required on Logout
If the site requires specific actions upon log-out, the following If the site requires specific actions upon logout, the following
settings can be used. settings can be used:
o All settings in the Case 1 are applied. o All settings in Case 1 are applied.
o For all pages, set up the Authentication-Control header "location- o For all pages, set up the Authentication-Control header "location-
when-logout=<de-authentication page>". when-logout=<de-authentication page>".
o In the de-authentication page, no specific set-up is needed. If o In the de-authentication page, no specific setup is needed. If
there are any direct links to the de-authentication page, put there are any direct links to the de-authentication page, put
"logout-timeout=0". "logout-timeout=0".
5.1.3. Case 3: specific page displayed before log-in 5.1.3. Case 3: Specific Page Displayed before Login
If the site needs to display a specific page before log-in actions If the site needs to display a specific page before login actions
(some announcements, user notices, or even advertisements), the (some announcements, user notices, or even advertisements), the
following settings can be applied. following settings can be applied:
o Set up an optional authentication to all pages available to o Set up an optional authentication to all pages available to
guests. Set up an Authentication-Control header with "no- guests. Set up an Authentication-Control header with
auth=true". Put a link to a specific log-in page in contents. "no-auth=true". Put a link to a specific login page in contents.
o If there are pages only available to authenticated users, set up a o If there are pages only available to authenticated users, set up a
mandatory authentication with "location-when-unauthenticated=<the mandatory authentication with the
log-in page>". "location-when-unauthenticated=<the login page>".
o For the specific log-in page, set up a mandatory authentication. o For the specific login page, set up a mandatory authentication.
o For all pages for POST requests, it is advisable to have o For all pages for POST requests, it is advisable to have
"location-when-logout=<some page>", too. "location-when-logout=<some page>", too.
o De-authentication pages are not needed. If the site has one, put o De-authentication pages are not needed. If the site has one, put
"logout-timeout=0". "logout-timeout=0".
5.2. Example 2: authenticated user-only sites 5.2. Example 2: Authenticated User-Only Sites
If almost all pages in the target site require authentication (e.g., If almost all pages in the target site require authentication (e.g.,
an Internet banking site), or if there are no needs to support both an Internet banking site), or if there is no need to support both
unauthenticated and authenticated users on the same resource, the unauthenticated and authenticated users on the same resource, the
settings will become simpler. The following are an example for such settings will become simpler. The following are examples for such a
a site: site:
o Set up a mandatory authentication to all pages available to o Set up a mandatory authentication to all pages available to
authenticated users. Set up an Authentication-Control header with authenticated users. Set up an Authentication-Control header with
"auth-style=non-modal" setting. the "auth-style=non-modal" setting.
o Set up a handler for the 401-status which requests users to o Set up a handler for the 401-status that requests users to
authenticate. authenticate.
o For all pages for POST requests, it is advisable to have o For all pages for POST requests, it is advisable to have a
"location-when-logout=<some page>", too. "location-when-logout=<some page>", too.
o De-authentication pages are not needed. If the site will have o De-authentication pages are not needed. If the site will have
one, put "logout-timeout=0" there. one, put "logout-timeout=0" there.
5.3. When to use Cookies 5.3. When to Use Cookies
In current Web sites using form-based authentication, Cookies In current websites using form-based authentication, Cookies
[RFC6265] are used for managing both authorization and application [RFC6265] are used for managing both authorization and application
sessions. Using the extensions in this document, the former features sessions. Using the extensions in this document, the former features
will be provided by using (extended) HTTP authentication/ will be provided by using (extended) HTTP authentication/
authorization mechanisms. In some cases, there will be ambiguity on authorization mechanisms. In some cases, there will be ambiguity on
whether some functions are for authorization management or for whether some functions are for authorization management or for
session management. The following hints will be helpful for deciding session management. The following hints will be helpful for deciding
which features to use. which features to use.
o If there is a need to serve multiple sessions for a single user o If there is a need to serve multiple sessions for a single user
using multiple browsers concurrently, use a Cookie for using multiple browsers concurrently, use a Cookie for
distinguishing between sessions for the same user. (C.f. if there distinguishing between sessions for the same user. (C.f. if there
is a need to distinguish sessions in the same browser, HTML5 Web is a need to distinguish between sessions in the same browser,
Storage [W3C.REC-webstorage-20130730] features can be used instead HTML5 Web Storage [W3C.REC-webstorage-20130730] features can be
of Cookies.) used instead of Cookies.)
o If a web site is currently deploying a session time-out feature, o If a website is currently deploying a session time-out feature,
consider who benefits from the feature. In most cases, the main consider who benefits from the feature. In most cases, the main
requirement for such a feature is to protect users from having requirement for such a feature is to protect users from having
their consoles and browsers hijacked (i.e. benefits are on the their consoles and browsers hijacked (i.e., benefits are on the
users' side). In such cases, the time-out features provided in users' side). In such cases, the time-out features provided in
this extension can be used. On the other hand, the requirement is this extension can be used. On the other hand, the requirement is
to protect server's privilege (e.g. when some regulations require to protect the server's privilege (e.g., when some regulations
to limit the time difference between user's two-factor require limiting the time difference between a user's two-factor
authentication and financial transaction commitment; the authentication and financial transaction commitment; the
requirement is strictly on the servers' side), that should be requirement is strictly on the servers' side), that should be
managed on the server side using Cookies or other session managed on the server side using Cookies or other session-
management mechanisms. management mechanisms.
5.4. Parallel deployment with Form/Cookie authentication 5.4. Parallel Deployment with Form/Cookie Authentication
In some transition periods, sites can need to support both HTTP-layer In some transition periods, sites may need to support both HTTP-layer
and form-based authentication. The following example shows one way and form-based authentication. The following example shows one way
to achieve that. to achieve that.
o If Cookies are used even for HTTP-authenticated users, each o If Cookies are used even for HTTP-authenticated users, each
session determined by Cookies SHOULD identify which authentication session determined by Cookies SHOULD identify which authentication
has been used for the session. has been used for the session.
o First, set up any of the above settings for enabling HTTP-layer o First, set up any of the above settings for enabling HTTP-layer
authentication. authentication.
o For unauthenticated users, add the following things to the Web o For unauthenticated users, add the following things to the Web
pages, unless the client supports this extension and HTTP-level pages, unless the client supports this extension and HTTP-level
authentication. authentication:
* For non-mandatory authenticated pages, put a link to Form-based * For non-mandatory authenticated pages, add a link to the form-
authenticated pages. based authenticated pages.
* For mandatory authenticated pages, either put a link to Form- * For mandatory authenticated pages, either put a link to form-
based authenticated pages, or put a HTML-level redirection based authenticated pages or put an HTML-level redirection
(using <META http-equiv="refresh" ...> element) to such pages. (using <META http-equiv="refresh" ...> element) to such pages.
o In Form-based authenticated pages, if users are not authenticated, o In the form-based authenticated pages, if users are not
the page can provide a redirection for HTTP-level authentication authenticated, the page can provide a redirection for HTTP-level
by "location-when-unauthenticated" setting. authentication by the "location-when-unauthenticated" setting.
o Users are identified to authorization and content customization by o Users are identified for authorization and content customization
the following logic. by the following logic:
* First, check the result of the HTTP-level authentication. If * First, check the result of the HTTP-level authentication. If
there is a Cookie session tied to a specific user, both should there is a Cookie session tied to a specific user, both should
match. match.
* If the user is not authenticated on the HTTP-level, use the * If the user is not authenticated on the HTTP-level, use the
conventional Form-based method to determine the user. conventional form-based method to determine the user.
* If there is a Cookie tied to HTTP authentication, but there is * If there is a Cookie tied to HTTP authentication but there is
no corresponding HTTP authentication result, that session will no corresponding HTTP authentication result, that session will
be discarded (because it means that authentication is be discarded (because it means that authentication is
deactivated by the corresponding user). deactivated by the corresponding user).
6. Methods to extend this protocol 6. Methods to Extend This Protocol
If a private extension to this protocol is implemented, it MUST use If a private extension to this protocol is implemented, it MUST use
the extension-param to avoid conflicts with this protocol and any the extension-param to avoid conflicts with this protocol and any
other extensions. (Standardized or being-standardized extensions MAY other extensions. (Standardized extensions or extensions that are
use either bare-tokens or extension-tokens.) being standardized MAY use either bare-tokens or extension-tokens.)
When bare-tokens are used in this protocol, these MUST be allocated When bare-tokens are used in this protocol, these MUST be allocated
by IANA. Any tokens used for non-private, non-experimental by IANA. Any tokens used for non-private, non-experimental
parameters are RECOMMENDED to be registered to IANA, regardless of parameters are RECOMMENDED to be registered with IANA, regardless of
the kind of tokens used. the kind of tokens used.
Extension-tokens MAY be freely used for any non-standard, private, Extension-tokens MAY be freely used for any non-standard, private,
and/or experimental uses. An extension-tokens MUST use the format and/or experimental uses. An extension-token MUST use the format
"-<bare-token>.<domain-name>", where <domain-name> is a validly "-<bare-token>.<domain-name>", where <domain-name> is a validly
registered (sub-)domain name on the Internet owned by the party who registered (sub-)domain name on the Internet owned by the party that
defines the extensions. Any unknown parameter name is to be ignored defines the extensions. Any unknown parameter name is to be ignored
regardless of whether it is an extension-token or a bare-token. regardless of whether it is an extension-token or a bare-token.
7. IANA Considerations 7. IANA Considerations
This document defines two new entries for the "Permanent Message This document defines two new entries for the "Permanent Message
Header Field Names" registry. Header Field Names" registry.
+-------------+---------------------------+-------------------------+ +-------------+---------------------------+-------------------------+
| | Entry 1: | Entry 2: | | | Entry 1: | Entry 2: |
skipping to change at page 22, line 50 skipping to change at page 23, line 42
| Header | Optional-WWW-Authenticate | Authentication-Control | | Header | Optional-WWW-Authenticate | Authentication-Control |
| Field Name | | | | Field Name | | |
| Protocol | http | http | | Protocol | http | http |
| Status | experimental | experimental | | Status | experimental | experimental |
| Change | IETF | IETF | | Change | IETF | IETF |
| Control | | | | Control | | |
| Spec. | Section 3 of this | Section 4 of this | | Spec. | Section 3 of this | Section 4 of this |
| Document | document | document | | Document | document | document |
+-------------+---------------------------+-------------------------+ +-------------+---------------------------+-------------------------+
This document also establishes a registry for HTTP authentication This document also establishes the "HTTP Authentication Control
control parameters. The registry manages case-insensitive ASCII Parameters" registry. The registry manages case-insensitive ASCII
strings. The string MUST follow the extensive-token syntax defined strings. The string MUST follow the extensive-token syntax defined
in Section 2.2. in Section 2.2.
To acquire registered tokens, a specification for the use of such To acquire registered tokens, a specification for the use of such
tokens MUST be available as a publicly-accessible document, as tokens MUST be available as a publicly accessible document (see
outlined as "Specification Required" level in [RFC5226]. "Specification Required" in [RFC5226]).
Registrations for authentication control parameters are required to Registrations for authentication control parameters are required to
include a description of the control extension. New registrations include a description of the control extension. New registrations
are advised to provide the following information: are advised to provide the following information:
o Token: a token used in HTTP headers for identifying the algorithm. o Token: A token used in HTTP headers for identifying the algorithm.
o Specification: A reference for a specification defining the o Specification: A reference for the specification defining the
algorithm. algorithm.
The initial content of this registry is as follows: The initial content of this registry is as follows:
+-------------------------------+------------------------------+ +-------------------------------+------------------------------+
| Token | Specification | | Token | Specification |
+-------------------------------+------------------------------+ +-------------------------------+------------------------------+
| auth-style | Section 4.2 of this document | | auth-style | Section 4.2 of this document |
| location-when-unauthenticated | Section 4.3 of this document | | location-when-unauthenticated | Section 4.3 of this document |
| no-auth | Section 4.4 of this document | | no-auth | Section 4.4 of this document |
| location-when-logout | Section 4.5 of this document | | location-when-logout | Section 4.5 of this document |
| logout-timeout | Section 4.6 of this document | | logout-timeout | Section 4.6 of this document |
| username | Section 4.7 of this document | | username | Section 4.7 of this document |
+-------------------------------+------------------------------+ +-------------------------------+------------------------------+
8. Security Considerations 8. Security Considerations
The purpose of the log-out timeout feature in the Authentication- The purpose of the logout timeout feature in the Authentication-
control header is to protect users of clients from impersonation control header is to protect users of clients from impersonation
caused by an attacker having access to the same console. The server caused by an attacker having access to the same console. The server
application implementers SHOULD be aware that the directive may application implementers SHOULD be aware that the directive may
always be ignored by either malicious clients or clients not always be ignored by either malicious clients or clients not
supporting this extension. If the purpose of introducing a timeout supporting this extension. If the purpose of introducing a timeout
for an authentication period is to protect server-side resources, for an authentication period is to protect server-side resources,
this protection MUST be implemented by other means such as HTTP this protection MUST be implemented by other means such as HTTP
Cookies [RFC6265]. Cookies [RFC6265].
All parameters in the Authentication-Control header SHOULD NOT be All parameters in the Authentication-Control header SHOULD NOT be
used for any security-enforcement purposes. Server-side applications used for any security-enforcement purposes. Server-side applications
MUST NOT assume that the header will be honored by clients and users. MUST NOT assume that the header will be honored by clients and users.
8.1. Security implication of the username parameter 8.1. Security Implication of the Username Parameter
The "username" parameter sometimes reveals sensitive information The "username" parameter sometimes reveals sensitive information
about the HTTP server and its configurations, useful for security about the HTTP server and its configurations that are useful for
attacks. In general, security common practice suggests that any kind security attacks. In general, common security practice suggests that
of information on the existence/non-existence of specific user-name any kind of information on the existence/non-existence of a specific
shall not be disclosed before the successful authentication. username shall not be disclosed before successful authentication.
Obviously, the "username" parameter contradicts with this practice. Obviously, the "username" parameter contradicts this practice.
Given this background, the use of the "username" parameter SHOULD be Given this background, the use of the "username" parameter SHOULD be
strictly limited to cases where the all of the following conditions strictly limited to cases where all of the following conditions are
are met: met:
(1) the valid user name is pre-configured and not modifiable (such (1) the valid username is pre-configured and not modifiable (such as
as root, admin or similar ones); root, admin, or similar ones);
(2) the valid user name for such an appliance is publicly known (for (2) the valid username for such an appliance is publicly known (for
example, written in a manual document); and example, written in a manual document); and
(3) either the valid user name for the server is easily guessable by (3) either the valid username for the server is easily guessable by
other means (for example, from the model number shown in an other means (for example, from the model number shown in an
unauthenticated page), or the server is accessible only from unauthenticated page), or the server is accessible only from
limited networks. limited networks.
Most importantly, the "username" parameter SHOULD NOT be used in any Most importantly, the "username" parameter SHOULD NOT be used in any
case when the valid user names can be changed/configured by users or case when the valid usernames can be changed/configured by users or
administrators. administrators.
9. References 9. References
9.1. Normative References 9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008, DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>. <http://www.rfc-editor.org/info/rfc5226>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ Specifications: ABNF", STD 68, RFC 5234,
RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC5987] Reschke, J., "Character Set and Language Encoding for [RFC5987] Reschke, J., "Character Set and Language Encoding for
Hypertext Transfer Protocol (HTTP) Header Field Hypertext Transfer Protocol (HTTP) Header Field
Parameters", RFC 5987, DOI 10.17487/RFC5987, August 2010, Parameters", RFC 5987, DOI 10.17487/RFC5987, August 2010,
<http://www.rfc-editor.org/info/rfc5987>. <http://www.rfc-editor.org/info/rfc5987>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
skipping to change at page 25, line 42 skipping to change at page 27, line 5
[RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy-
Authentication-Info Response Header Fields", RFC 7615, Authentication-Info Response Header Fields", RFC 7615,
DOI 10.17487/RFC7615, September 2015, DOI 10.17487/RFC7615, September 2015,
<http://www.rfc-editor.org/info/rfc7615>. <http://www.rfc-editor.org/info/rfc7615>.
[W3C.REC-webstorage-20130730] [W3C.REC-webstorage-20130730]
Hickson, I., "Web Storage", World Wide Web Consortium Hickson, I., "Web Storage", World Wide Web Consortium
Recommendation REC-webstorage-20130730, July 2013, Recommendation REC-webstorage-20130730, July 2013,
<http://www.w3.org/TR/2013/REC-webstorage-20130730>. <http://www.w3.org/TR/2013/REC-webstorage-20130730>.
Appendix A. (Informative) Applicability of features for each messages Appendix A. (Informative) Applicability of Features for Each Message
This section provides a cross-reference table showing the This section provides a cross-reference table showing the
applicability of the features provided in this specification to each applicability of the features provided in this specification to each
kind of responses described in Section 2.1. The table provided in kind of response described in Section 2.1. The table provided in
this section is for informative purposes only. this section is for informative purposes only.
+-------------------+-------+----------+-----------+------+ +-------------------+-------+----------+-----------+------+
| | init. | success. | intermed. | neg. | | | init. | success. | intermed. | neg. |
+-------------------+-------+----------+-----------+------+ +-------------------+-------+----------+-----------+------+
| Optional auth. | O | n | N | N | | Optional auth. | O | n | N | N |
| auth-style | O | - | - | O | | auth-style | O | - | - | O |
| loc.-when-unauth. | O | I | I | i | | loc.-when-unauth. | O | I | I | i |
| no-auth | O | I | I | i | | no-auth | O | I | I | i |
| loc.-when-logout | - | O | - | - | | loc.-when-logout | - | O | - | - |
| logout-timeout | - | O | - | - | | logout-timeout | - | O | - | - |
| username | O | - | - | O | | username | O | - | - | O |
+-------------------+-------+----------+-----------+------+ +-------------------+-------+----------+-----------+------+
Legends: Legends:
O = MAY contain; n = SHOULD NOT contain; N = MUST NOT contain O = MAY contain; n = SHOULD NOT contain; N = MUST NOT contain
i = SHOULD be ignored; I = MUST be ignored; i = SHOULD be ignored; I = MUST be ignored;
- = meaningless (to be ignored) - = meaningless (to be ignored)
Appendix B. (Informative) Draft Change Log
[To be removed on final publication]
B.1. Changes in Httpauth WG Revision 09
o More comments are reflected to the text.
B.2. Changes in Httpauth WG Revision 08
o Typo fixed.
o Authors' addresses updated.
B.3. Changes in Httpauth WG Revision 07
o WGLC comments are reflected to the text.
B.4. Changes in Httpauth WG Revision 06
o Several comments from reviewers are reflected to the text.
B.5. Changes in Httpauth WG Revision 05
o Authors' addresses updated.
B.6. Changes in Httpauth WG revision 04
o IANA consideration section added.
B.7. Changes in Httpauth WG revision 03
o Adopting RFC 5987 extended syntax for non-ASCII parameter values.
B.8. Changes in Httpauth WG revision 02
o Added realm parameter.
o Added username parameter. We acknowledge Michael Sweet's proposal
for including this to the Basic authentication.
B.9. Changes in Httpauth WG revision 01
o Clarification on peers' responsibility about handling of relative
URLs.
o Automatic reloading should be allowed only on safe methods, not
always on idempotent methods.
B.10. Changes in Httpauth revision 00 and HttpBis revision 00
None.
B.11. Changes in revision 02
o Added usage examples.
B.12. Changes in revision 01
o Syntax notations and parsing semantics changed to match httpbis
style.
B.13. Changes in revision 00
o Separated from HTTP Mutual authentication proposal (-09).
o Adopting httpbis works as a referencing point to HTTP.
o Generalized, now applicable for all HTTP authentication schemes.
o Added "no-auth" and "auth-style" parameters.
o Loosened standardization requirements for parameter-name tokens
registration.
Authors' Addresses Authors' Addresses
Yutaka Oiwa Yutaka Oiwa
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 1 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP Japan
Email: y.oiwa@aist.go.jp Email: y.oiwa@aist.go.jp
Hajime Watanabe Hajime Watanabe
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 1 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP Japan
Email: h-watanabe@aist.go.jp Email: h-watanabe@aist.go.jp
Hiromitsu Takagi Hiromitsu Takagi
National Institute of Advanced Industrial Science and Technology National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute Information Technology Research Institute
Tsukuba Central 1 Tsukuba Central 1
1-1-1 Umezono 1-1-1 Umezono
Tsukuba-shi, Ibaraki Tsukuba-shi, Ibaraki
JP Japan
Email: takagi.hiromitsu@aist.go.jp Email: takagi.hiromitsu@aist.go.jp
Kaoru Maeda Kaoru Maeda
Lepidum Co. Ltd. Lepidum Co. Ltd.
Village Sasazuka 3, Suite #602 Village Sasazuka 3, Suite #602
1-30-3 Sasazuka 1-30-3 Sasazuka
Shibuya-ku, Tokyo Shibuya-ku, Tokyo
JP Japan
Email: maeda@lepidum.co.jp Email: maeda@lepidum.co.jp
Tatsuya Hayashi Tatsuya Hayashi
Lepidum Co. Ltd. Lepidum Co. Ltd.
Village Sasazuka 3, Suite #602 Village Sasazuka 3, Suite #602
1-30-3 Sasazuka 1-30-3 Sasazuka
Shibuya-ku, Tokyo Shibuya-ku, Tokyo
JP Japan
Email: hayashi@lepidum.co.jp Email: hayashi@lepidum.co.jp
Yuichi Ioku Yuichi Ioku
Individual Individual Contributor
Email: mutual-work@ioku.org Email: mutual-work@ioku.org
 End of changes. 198 change blocks. 
445 lines changed or deleted 362 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/