| draft-ietf-httpbis-p7-auth-08.txt | draft-ietf-httpbis-p7-auth-09.txt | |||
|---|---|---|---|---|
| HTTPbis Working Group R. Fielding, Ed. | HTTPbis Working Group R. Fielding, Ed. | |||
| Internet-Draft Day Software | Internet-Draft Day Software | |||
| Obsoletes: 2616 (if approved) J. Gettys | Obsoletes: 2616 (if approved) J. Gettys | |||
| Updates: 2617 (if approved) One Laptop per Child | Updates: 2617 (if approved) One Laptop per Child | |||
| Intended status: Standards Track J. Mogul | Intended status: Standards Track J. Mogul | |||
| Expires: April 29, 2010 HP | Expires: September 9, 2010 HP | |||
| H. Frystyk | H. Frystyk | |||
| Microsoft | Microsoft | |||
| L. Masinter | L. Masinter | |||
| Adobe Systems | Adobe Systems | |||
| P. Leach | P. Leach | |||
| Microsoft | Microsoft | |||
| T. Berners-Lee | T. Berners-Lee | |||
| W3C/MIT | W3C/MIT | |||
| Y. Lafon, Ed. | Y. Lafon, Ed. | |||
| W3C | W3C | |||
| J. Reschke, Ed. | J. Reschke, Ed. | |||
| greenbytes | greenbytes | |||
| October 26, 2009 | March 8, 2010 | |||
| HTTP/1.1, part 7: Authentication | HTTP/1.1, part 7: Authentication | |||
| draft-ietf-httpbis-p7-auth-08 | draft-ietf-httpbis-p7-auth-09 | |||
| Abstract | ||||
| The Hypertext Transfer Protocol (HTTP) is an application-level | ||||
| protocol for distributed, collaborative, hypermedia information | ||||
| systems. HTTP has been in use by the World Wide Web global | ||||
| information initiative since 1990. This document is Part 7 of the | ||||
| seven-part specification that defines the protocol referred to as | ||||
| "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines | ||||
| HTTP Authentication. | ||||
| Editorial Note (To be removed by RFC Editor) | ||||
| Discussion of this draft should take place on the HTTPBIS working | ||||
| group mailing list (ietf-http-wg@w3.org). The current issues list is | ||||
| at <http://tools.ietf.org/wg/httpbis/trac/report/11> and related | ||||
| documents (including fancy diffs) can be found at | ||||
| <http://tools.ietf.org/wg/httpbis/>. | ||||
| The changes in this draft are summarized in Appendix C.10. | ||||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted to IETF in full conformance with the | This Internet-Draft is submitted to IETF in full conformance with the | |||
| provisions of BCP 78 and BCP 79. This document may contain material | provisions of BCP 78 and BCP 79. | |||
| from IETF Documents or IETF Contributions published or made publicly | ||||
| available before November 10, 2008. The person(s) controlling the | ||||
| copyright in some of this material may not have granted the IETF | ||||
| Trust the right to allow modifications of such material outside the | ||||
| IETF Standards Process. Without obtaining an adequate license from | ||||
| the person(s) controlling the copyright in such materials, this | ||||
| document may not be modified outside the IETF Standards Process, and | ||||
| derivative works of it may not be created outside the IETF Standards | ||||
| Process, except to format it for publication as an RFC or to | ||||
| translate it into languages other than English. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| skipping to change at page 2, line 4 | skipping to change at page 2, line 14 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| other groups may also distribute working documents as Internet- | other groups may also distribute working documents as Internet- | |||
| Drafts. | Drafts. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on April 29, 2010. | This Internet-Draft will expire on September 9, 2010. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents | |||
| publication of this document (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | ||||
| Abstract | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | ||||
| The Hypertext Transfer Protocol (HTTP) is an application-level | described in the BSD License. | |||
| protocol for distributed, collaborative, hypermedia information | ||||
| systems. HTTP has been in use by the World Wide Web global | ||||
| information initiative since 1990. This document is Part 7 of the | ||||
| seven-part specification that defines the protocol referred to as | ||||
| "HTTP/1.1" and, taken together, obsoletes RFC 2616. Part 7 defines | ||||
| HTTP Authentication. | ||||
| Editorial Note (To be removed by RFC Editor) | ||||
| Discussion of this draft should take place on the HTTPBIS working | ||||
| group mailing list (ietf-http-wg@w3.org). The current issues list is | ||||
| at <http://tools.ietf.org/wg/httpbis/trac/report/11> and related | ||||
| documents (including fancy diffs) can be found at | ||||
| <http://tools.ietf.org/wg/httpbis/>. | ||||
| The changes in this draft are summarized in Appendix C.9. | This document may contain material from IETF Documents or IETF | |||
| Contributions published or made publicly available before November | ||||
| 10, 2008. The person(s) controlling the copyright in some of this | ||||
| material may not have granted the IETF Trust the right to allow | ||||
| modifications of such material outside the IETF Standards Process. | ||||
| Without obtaining an adequate license from the person(s) controlling | ||||
| the copyright in such materials, this document may not be modified | ||||
| outside the IETF Standards Process, and derivative works of it may | ||||
| not be created outside the IETF Standards Process, except to format | ||||
| it for publication as an RFC or to translate it into languages other | ||||
| than English. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 5 | 1.2.1. Core Rules . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 1.2.2. ABNF Rules defined in other Parts of the | 1.2.2. ABNF Rules defined in other Parts of the | |||
| Specification . . . . . . . . . . . . . . . . . . . . 5 | Specification . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5 | 2. Status Code Definitions . . . . . . . . . . . . . . . . . . . 5 | |||
| skipping to change at page 3, line 44 | skipping to change at page 3, line 44 | |||
| publication) . . . . . . . . . . . . . . . . . . . . 11 | publication) . . . . . . . . . . . . . . . . . . . . 11 | |||
| C.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11 | C.1. Since RFC2616 . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11 | C.2. Since draft-ietf-httpbis-p7-auth-00 . . . . . . . . . . . 11 | |||
| C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11 | C.3. Since draft-ietf-httpbis-p7-auth-01 . . . . . . . . . . . 11 | |||
| C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 12 | C.4. Since draft-ietf-httpbis-p7-auth-02 . . . . . . . . . . . 12 | |||
| C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 12 | C.5. Since draft-ietf-httpbis-p7-auth-03 . . . . . . . . . . . 12 | |||
| C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 12 | C.6. Since draft-ietf-httpbis-p7-auth-04 . . . . . . . . . . . 12 | |||
| C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12 | C.7. Since draft-ietf-httpbis-p7-auth-05 . . . . . . . . . . . 12 | |||
| C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12 | C.8. Since draft-ietf-httpbis-p7-auth-06 . . . . . . . . . . . 12 | |||
| C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12 | C.9. Since draft-ietf-httpbis-p7-auth-07 . . . . . . . . . . . 12 | |||
| C.10. Since draft-ietf-httpbis-p7-auth-08 . . . . . . . . . . . 13 | ||||
| Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| This document defines HTTP/1.1 access control and authentication. | This document defines HTTP/1.1 access control and authentication. | |||
| Right now it includes the extracted relevant sections of RFC 2616 | Right now it includes the extracted relevant sections of RFC 2616 | |||
| with only minor changes. The intention is to move the general | with only minor changes. The intention is to move the general | |||
| framework for HTTP authentication here, as currently specified in | framework for HTTP authentication here, as currently specified in | |||
| [RFC2617], and allow the individual authentication mechanisms to be | [RFC2617], and allow the individual authentication mechanisms to be | |||
| defined elsewhere. This introduction will be rewritten when that | defined elsewhere. This introduction will be rewritten when that | |||
| occurs. | occurs. | |||
| skipping to change at page 6, line 8 | skipping to change at page 6, line 8 | |||
| [RFC2617]. | [RFC2617]. | |||
| 3. Header Field Definitions | 3. Header Field Definitions | |||
| This section defines the syntax and semantics of HTTP/1.1 header | This section defines the syntax and semantics of HTTP/1.1 header | |||
| fields related to authentication. | fields related to authentication. | |||
| 3.1. Authorization | 3.1. Authorization | |||
| The "Authorization" request-header field allows a user agent to | The "Authorization" request-header field allows a user agent to | |||
| authenticate itself with a server -- usually, but not necessary, | authenticate itself with a server -- usually, but not necessarily, | |||
| after receiving a 401 (Unauthorized) response. Its value consists of | after receiving a 401 (Unauthorized) response. Its value consists of | |||
| credentials containing information of the user agent for the realm of | credentials containing information of the user agent for the realm of | |||
| the resource being requested. | the resource being requested. | |||
| Authorization = "Authorization" ":" OWS Authorization-v | Authorization = "Authorization" ":" OWS Authorization-v | |||
| Authorization-v = credentials | Authorization-v = credentials | |||
| HTTP access authentication is described in "HTTP Authentication: | HTTP access authentication is described in "HTTP Authentication: | |||
| Basic and Digest Access Authentication" [RFC2617]. If a request is | Basic and Digest Access Authentication" [RFC2617]. If a request is | |||
| authenticated and a realm specified, the same credentials SHOULD be | authenticated and a realm specified, the same credentials SHOULD be | |||
| skipping to change at page 9, line 21 | skipping to change at page 9, line 21 | |||
| server to direct clients to discard these cached credentials. This | server to direct clients to discard these cached credentials. This | |||
| is a significant defect that requires further extensions to HTTP. | is a significant defect that requires further extensions to HTTP. | |||
| Circumstances under which credential caching can interfere with the | Circumstances under which credential caching can interfere with the | |||
| application's security model include but are not limited to: | application's security model include but are not limited to: | |||
| o Clients which have been idle for an extended period following | o Clients which have been idle for an extended period following | |||
| which the server might wish to cause the client to reprompt the | which the server might wish to cause the client to reprompt the | |||
| user for credentials. | user for credentials. | |||
| o Applications which include a session termination indication (such | o Applications which include a session termination indication (such | |||
| as a `logout' or `commit' button on a page) after which the server | as a "logout" or "commit" button on a page) after which the server | |||
| side of the application `knows' that there is no further reason | side of the application "knows" that there is no further reason | |||
| for the client to retain the credentials. | for the client to retain the credentials. | |||
| This is currently under separate study. There are a number of work- | This is currently under separate study. There are a number of work- | |||
| arounds to parts of this problem, and we encourage the use of | arounds to parts of this problem, and we encourage the use of | |||
| password protection in screen savers, idle time-outs, and other | password protection in screen savers, idle time-outs, and other | |||
| methods which mitigate the security problems inherent in this | methods which mitigate the security problems inherent in this | |||
| problem. In particular, user agents which cache credentials are | problem. In particular, user agents which cache credentials are | |||
| encouraged to provide a readily accessible mechanism for discarding | encouraged to provide a readily accessible mechanism for discarding | |||
| cached credentials under user control. | cached credentials under user control. | |||
| 6. Acknowledgments | 6. Acknowledgments | |||
| [[anchor2: TBD.]] | [[acks: TBD.]] | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | [Part1] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | |||
| and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, | and J. Reschke, Ed., "HTTP/1.1, part 1: URIs, Connections, | |||
| and Message Parsing", draft-ietf-httpbis-p1-messaging-08 | and Message Parsing", draft-ietf-httpbis-p1-messaging-09 | |||
| (work in progress), October 2009. | (work in progress), March 2010. | |||
| [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | [Part6] Fielding, R., Ed., Gettys, J., Mogul, J., Frystyk, H., | |||
| Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | Masinter, L., Leach, P., Berners-Lee, T., Lafon, Y., Ed., | |||
| Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part | Nottingham, M., Ed., and J. Reschke, Ed., "HTTP/1.1, part | |||
| 6: Caching", draft-ietf-httpbis-p6-cache-08 (work in | 6: Caching", draft-ietf-httpbis-p6-cache-09 (work in | |||
| progress), October 2009. | progress), March 2010. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., | |||
| Leach, P., Luotonen, A., and L. Stewart, "HTTP | Leach, P., Luotonen, A., and L. Stewart, "HTTP | |||
| Authentication: Basic and Digest Access Authentication", | Authentication: Basic and Digest Access Authentication", | |||
| RFC 2617, June 1999. | RFC 2617, June 1999. | |||
| [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax | |||
| skipping to change at page 13, line 5 | skipping to change at page 13, line 5 | |||
| None. | None. | |||
| C.9. Since draft-ietf-httpbis-p7-auth-07 | C.9. Since draft-ietf-httpbis-p7-auth-07 | |||
| Closed issues: | Closed issues: | |||
| o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA | o <http://tools.ietf.org/wg/httpbis/trac/ticket/198>: "move IANA | |||
| registrations for optional status codes" | registrations for optional status codes" | |||
| C.10. Since draft-ietf-httpbis-p7-auth-08 | ||||
| No significant changes. | ||||
| Index | Index | |||
| 4 | 4 | |||
| 401 Unauthorized (status code) 5 | 401 Unauthorized (status code) 5 | |||
| 407 Proxy Authentication Required (status code) 5 | 407 Proxy Authentication Required (status code) 5 | |||
| A | A | |||
| Authorization header 6 | Authorization header 6 | |||
| G | G | |||
| End of changes. 17 change blocks. | ||||
| 48 lines changed or deleted | 60 lines changed or added | |||
This html diff was produced by rfcdiff 1.36. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||