RFC 7617 - The 'Basic' HTTP Authentication Scheme

Published: September 2015
Status: Standards Track
Author: J. Reschke (greenbytes)
Obsoletes: RFC 2617

Abstract

This document defines the "Basic" Hypertext Transfer Protocol (HTTP) authentication scheme, which transmits credentials as user-id/password pairs, encoded using Base64.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at ````http://www.rfc-editor.org/info/rfc7617\````.

1. Introduction
- 1.1 Terminology and Notation
2. The 'Basic' Authentication Scheme
- 2.1 The 'charset' auth-param
- 2.2 Reusing Credentials
3. Internationalization Considerations
4. Security Considerations
5. IANA Considerations
6. References
- 6.1 Normative References
- 6.2 Informative References

Appendices

Appendix A. Changes from RFC 2617
Appendix B. Deployment Considerations for the 'charset' Parameter
- B.1 User Agents
- B.2 Servers
- B.3 Why not simply switch the default encoding to UTF-8?
Acknowledgements

Core Concepts

Basic Authentication Scheme Overview

Basic authentication is HTTP's most fundamental authentication method, using Base64-encoded user credentials.

⚠️ Security Warning: Basic authentication transmits passwords in cleartext (only Base64-encoded, not encrypted). Unless used with TLS/HTTPS, it is not considered a secure authentication method.

Authentication Flow

Client                                Server
  |                                     |
  |-------- 1. GET /protected -------->|
  |                                     |
  |<----- 2. 401 Unauthorized ---------|
  |        WWW-Authenticate: Basic     |
  |        realm="WallyWorld"          |
  |                                     |
  |-------- 3. GET /protected -------->|
  |    Authorization: Basic            |
  |    QWxhZGRpbjpvcGVuIHNlc2FtZQ==   |
  |                                     |
  |<------- 4. 200 OK + resource ------|
  |                                     |

Base64 Encoding Example

Username: Aladdin
Password: open sesame

Encoding process:

Concatenate: Aladdin:open sesame
Base64 encode: QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Send: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

RFC 7617 vs RFC 2617 Key Changes

New 'charset' parameter: Allows servers to indicate UTF-8 encoding
Internationalization support: Improved support for non-ASCII characters
Specification rewrite: Consistent with RFC 7235

Official Text: RFC 7617
Official Page: RFC 7617 DataTracker
Errata: RFC Editor Errata
Related RFC: RFC 7235 (HTTP/1.1 Authentication)

Abstract​

Status of This Memo​

Table of Contents​

Appendices​

Core Concepts​

Basic Authentication Scheme Overview​

Authentication Flow​

Base64 Encoding Example​

RFC 7617 vs RFC 2617 Key Changes​

Related Resources​