HTTP Authentication
[code]
auth-scheme = token
auth-param = token "=" ( token | quoted-string )
challenge = auth-scheme 1*SP 1#auth-param
[/code]
The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource
[code]
D:\projects\maui>curl -I http://ar-code.svn.engineyard.com/
HTTP/1.1 401 Authorization Required
Date: Fri, 09 Jan 2009 04:15:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="Engine Yard SVN Cluster: ar-code"
Content-Type: text/html; charset=iso-8859-1
[/code]
The authentication parameter realm is defined for all authentication schemes:
[code]
realm = "realm" "=" realm-value
realm-value = quoted-string
[/code]
A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request
[code]
credentials = auth-scheme #auth-param
[/code]
[b]Basic Access Authentication Scheme[/b]
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server
[code]
challenge = "Basic" realm
credentials = "Basic" basic-credentials
[/code]
[code]
WWW-Authenticate: Basic realm="WallyWorld"
[/code]
To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials
[code]
basic-credentials = base64-user-pass
base64-user-pass = <base64 encoding of user-pass, except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
[/code]
[code]
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
[/code]
[b]Digest Access Auhtenticaton Scheme[/b]
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:
[code]
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
[/code]
The Authorization Request Header:
[code]
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
[/code]
The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response
[code]
AuthenticationInfo = "Authentication-Info" ":" auth-info
auth-info = 1#(nextnonce | [ message-qop ]
| [ response-auth ] | [ cnonce ]
| [nonce-count] )
nextnonce = "nextnonce" "=" nonce-value
response-auth = "rspauth" "=" response-digest
response-digest = <"> *LHEX <">
[/code]
Example:
[code]
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Authorization: Digest username="Mufasa",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
[/code]
The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network
Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"
Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis
[color=red]Any service in present use that uses Basic should be switched to Digest as soon as practical[/color]
[b]OAuth[/b]
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:
[code]
WWW-Authenticate: OAuth realm="http://sp.example.com/"
[/code]
Authorization Header:
[code]
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
[/code]
[url=http://oauth.net/core/1.0]OAuth Core 1.0[/url], the main protocol, was finalized in December
It is stable and ready to be implemented
[url=http://oauth.net/code]Libraries[/url] are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl
[code]
auth-scheme = token
auth-param = token "=" ( token | quoted-string )
challenge = auth-scheme 1*SP 1#auth-param
[/code]
The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource
[code]
D:\projects\maui>curl -I http://ar-code.svn.engineyard.com/
HTTP/1.1 401 Authorization Required
Date: Fri, 09 Jan 2009 04:15:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="Engine Yard SVN Cluster: ar-code"
Content-Type: text/html; charset=iso-8859-1
[/code]
The authentication parameter realm is defined for all authentication schemes:
[code]
realm = "realm" "=" realm-value
realm-value = quoted-string
[/code]
A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request
[code]
credentials = auth-scheme #auth-param
[/code]
[b]Basic Access Authentication Scheme[/b]
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server
[code]
challenge = "Basic" realm
credentials = "Basic" basic-credentials
[/code]
[code]
WWW-Authenticate: Basic realm="WallyWorld"
[/code]
To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials
[code]
basic-credentials = base64-user-pass
base64-user-pass = <base64 encoding of user-pass, except not limited to 76 char/line>
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
[/code]
[code]
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
[/code]
[b]Digest Access Auhtenticaton Scheme[/b]
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:
[code]
challenge = "Digest" digest-challenge
digest-challenge = 1#( realm | [ domain ] | nonce |
[ opaque ] |[ stale ] | [ algorithm ] |
[ qop-options ] | [auth-param] )
domain = "domain" "=" <"> URI ( 1*SP URI ) <">
URI = absoluteURI | abs_path
nonce = "nonce" "=" nonce-value
nonce-value = quoted-string
opaque = "opaque" "=" quoted-string
stale = "stale" "=" ( "true" | "false" )
algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" |
token )
qop-options = "qop" "=" <"> 1#qop-value <">
qop-value = "auth" | "auth-int" | token
[/code]
The Authorization Request Header:
[code]
credentials = "Digest" digest-response
digest-response = 1#( username | realm | nonce | digest-uri
| response | [ algorithm ] | [cnonce] |
[opaque] | [message-qop] |
[nonce-count] | [auth-param] )
username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1
message-qop = "qop" "=" qop-value
cnonce = "cnonce" "=" cnonce-value
cnonce-value = nonce-value
nonce-count = "nc" "=" nc-value
nc-value = 8LHEX
response = "response" "=" request-digest
request-digest = <"> 32LHEX <">
LHEX = "0" | "1" | "2" | "3" |
"4" | "5" | "6" | "7" |
"8" | "9" | "a" | "b" |
"c" | "d" | "e" | "f"
[/code]
The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response
[code]
AuthenticationInfo = "Authentication-Info" ":" auth-info
auth-info = 1#(nextnonce | [ message-qop ]
| [ response-auth ] | [ cnonce ]
| [nonce-count] )
nextnonce = "nextnonce" "=" nonce-value
response-auth = "rspauth" "=" response-digest
response-digest = <"> *LHEX <">
[/code]
Example:
[code]
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="testrealm@host.com",
qop="auth,auth-int",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Authorization: Digest username="Mufasa",
realm="testrealm@host.com",
nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",
response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
[/code]
The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network
Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"
Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis
[color=red]Any service in present use that uses Basic should be switched to Digest as soon as practical[/color]
[b]OAuth[/b]
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:
[code]
WWW-Authenticate: OAuth realm="http://sp.example.com/"
[/code]
Authorization Header:
[code]
Authorization: OAuth realm="http://sp.example.com/",
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
[/code]
[url=http://oauth.net/core/1.0]OAuth Core 1.0[/url], the main protocol, was finalized in December
It is stable and ready to be implemented
[url=http://oauth.net/code]Libraries[/url] are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
