HTTP Headers Tutorial : Part 2- Authentication

Authentication is the process of determining whether a client has the required permissions to access resources on a server. HTTP uses  4 main headers to support Authentication which we will look at in this article.

This tutorial is composed of several posts :

  • Part 1- The basics
  • Part 2- Authentication
  • Part 3- Caching
  • Part 4- Content Negotiation
  • Part 5- Cookies
  • Part 6- Redirects
  • Part 7- Conditionals
  • Part 8- Compression
  • Part 9- Range Requests
  • Part 10- Connection Management
  • Part 11- Security

HTTP Authentication Framework

HTTP provides a general framework for access control and authentication, via an extensible set of challenge-response authentication schemes, which can be used by a server to challenge a client request and by a client to provide authentication information. The authentication framework is defined in RFC 7235 . The framework provides the server a way to tell clients how to access secured resources. After an unauthenticated request is made, the server uses the www-authenticate header to tell the client how to authenticate. The client in turn uses the authorization header to specify the authentication scheme and credentials necessary to gain access. This is illustrated in the diagram below.


www-authenticate & proxy-authenticate headers

The WWW-Authenticate and Proxy-Authenticate response headers define the authentication method that should be used to gain access to a resource. They need to specify which authentication scheme is used, so that the client that wishes to authorize knows how to provide the credentials. The syntax for these headers is the following:

WWW-Authenticate: <type> realm=<realm>
Proxy-Authenticate: <type> realm=<realm>

Example :

WWW-Authenticate: Bearer realm=Access to billing API
Proxy-Authenticate: Basic realm=Staging Site

Here, <type> is the authentication scheme . The realm is used to describe the protected area or to indicate the scope of protection. This could be a message like “Access to the development site” or similar, so that the user knows to which space they are trying to get access to.

Authorization & Proxy-authorization headers

The Authorization and Proxy-Authorization request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the type is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.

Authorization: <type> <credentials>
Proxy-Authorization: <type> <credentials>

Example :

Authorization: Bearer daasdfas82523adlsf
Proxy-Authorization: Basic ZWx1c3VhcmlvOnlsYWNsYXZl

Authentication Schemes

Authentication schemes describe the parameters for authentication and how the client intends to send credentials back to the server. For example, Basic authentication sends a users credentials to the server in a base64 encoded string. The request should always be sent over SSL since the credentials can be revealed by reversing the base64 encoded string.

Bearer authentication has increasingly become popular with the rise of RESTful APIs. Bearer tokens are used to access OAuth 2.0 secured resources.

Some other schemes include the following: