4.12. Client Authentication
4.12. Client Authentication
Applications using HTTP often need to authenticate clients. HTTP provides several mechanisms for authentication:
-
HTTP Authentication: Using the
WWW-AuthenticateandAuthorizationheader fields, as defined in [HTTP] Section 11. Common schemes include Basic [RFC7617] and Digest [RFC7616] authentication. -
Bearer tokens: Using tokens (such as OAuth 2.0 tokens) in the
Authorizationheader field with the Bearer scheme. -
Cookies: Using cookies [COOKIES] to maintain authenticated sessions.
-
TLS client certificates: Using certificates at the TLS layer to authenticate clients.
-
Application-specific mechanisms: Custom authentication mechanisms defined by the application.
Applications SHOULD use existing, well-understood authentication mechanisms where possible rather than defining new ones. When authentication is used:
-
Applications MUST use TLS to protect authentication credentials in transit.
-
Applications SHOULD use appropriate HTTP status codes (particularly
401 Unauthorizedand403 Forbidden) to indicate authentication failures. -
Applications SHOULD provide clear error messages when authentication fails, but MUST NOT leak sensitive information (such as whether a username exists).
-
Applications SHOULD consider the lifetime and renewal of authentication credentials.
-
Applications SHOULD specify how authentication state is maintained across requests (e.g., using cookies or requiring the
Authorizationheader field on every request).
Applications SHOULD be aware that authentication is different from authorization. Authentication establishes the identity of the client, while authorization determines what that client is allowed to do.