HTTP Authentication

*복습 자료라서 뻔한 내용은 생략

 

 

Summary.

 

1. RFC 7235 defines the HTTP authentication framework, which can be used by a server to challenge a client request, and by a client to provide authentication information

1. The server responds to a client with a 401 (Unauthorized) response status and provides information on how to authorize with a WWW-Authenticate response header containing at least one challenge.
2. A client that wants to authenticate itself with the server can then do so by including an Authorization request header with the credentials.
3. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header

    + Proxy 서버와 관련해서는 Proxy-Authenticate, Proxy-Authorization 헤더, 등이 있음

 

 

2. Browsers use utf-8 encoding for usernames and passwords

 

3. The WWW-Authenticate and Proxy-Authenticate response headers define the authentication method that should be used to gain access to a resource

    + Here, <type> is the authentication scheme ("Basic" is the most common scheme and introduced below). The realm is used to describe the protected area or to indicate the scope of protection. This could be a message like "Access to the staging site" or similar, so that the user knows to which space they are trying to get access to

WWW-Authenticate: <type> realm=<realm>
Proxy-Authenticate: <type> realm=<realm>

 

4. The Authorization and Proxy-Authorization request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the <type> is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used

Authorization: <type> <credentials>
Proxy-Authorization: <type> <credentials>

 

5. Authentication schemes

    ex) Basic:  base64-encoded credentials (id, password 인코딩해서 보낼 수도 있지만 HTTPS 아니면 절대 해서는 안되는 행위)

    ex) Bearer:  bearer tokens to access OAuth 2.0-protected resources

    + schemes 리스트 https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml

 

 

 

Additional.

1. Authentication 관련 Status Code 올바른 대처

    + If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.

    + If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.

    + In all cases, the server may prefer returning a 404 Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated

 

 

2. (다음에) 모든 브라우저가 이미 지원하는 cross origin img 관련 credential issue

    + https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_of_cross-origin_images

 

 

3. (다음에) OAuth 올바르게 구현하는 법

 

 

Reference.

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication