BLOG

HTTP Authentication Schemes - “Basic” HTTP Authentication

What is authentication?

 

Authentication is the process of determining whether a client should be given access to a resource. The HTTP protocol supports multiple authentication schemes.

 

Important HTTP headers

 

Before we take a look at the “Basic” HTTP Authentication scheme, let's take a look at two important HTTP headers.

 

WWW-Authenticate

 

WWW-Authenticate is a HTTP response header that a server uses to provide challenges that the client has to solve in order to be authenticated.

 

Authorization

 

Authorization is a HTTP request header that a client uses to provide solutions to authentication challenges.

 

The protocol

 

 

The client

 

In the "Basic" HTTP Authentication scheme the client sends the credentials with every HTTP request. The credentials are sent in the Authorization HTTP header.

 

The value of the Authorization HTTP header should be constructed as follows:

 

  1. Concatenate the username, a colon character (i.e. ":") and the password.
  2. Encode the result of step 1 with base64.
  3. Append the result of step 2 to "Basic ".

 

Example when the username is "user" and the password is "pass":

 

  1. user:pass
  2. dXNlcjpwYXNz
  3. Basic dXNlcjpwYXNz

 

The server

 

In the "Basic" HTTP Authentication scheme the server should check the Authorization HTTP header of every HTTP request and act as follows:

 

- If the Authorization HTTP header is missing or its value in not properly constructed, the server should respond with a response containing:

 

  1. The 401 Unauthorized HTTP status code.
  2. The WWW-Authenticate HTTP header with the value "Basic realm='<realm>'" where "Basic" specifies the authentication scheme and <realm> is a placeholder for a string describing the protection space for which the credentials should be provided.

 

- If the credentials are invalid, the server should respond with the 403 Forbidden HTTP status code.

- If the credentials are valid, the server should serve the request.

 

Security

 

The client sends base64 encoded credentials. As base64 encoding can be reversed, the credentials are not secured. As a result, "Basic" HTTP Authentication does not provide any security and should be used with HTTPS.

 

Limitations

 

  1. The password is sent over the network with every request.
  2. In the Authorization HTTP header, the username and password are separated by a colon character (i.e. <username>:<password>). Everything after the colon character is treated as part of the password. As a result, the username can not contain the colon character.
  3. When a browser receives a response in the form described in "The server - point A", the browser displays a dialog that accepts credentials. If the server validates the credentials successfully, they will be cached by the browser and used for future requests. There is no inherent way to log out the user.

 

"Basic" HTTP Authentication implementation

 

This repository contains a simple Node.js implementation of the "Basic" HTTP Authentication scheme. If you are interested in trying it out, follow these steps:

 

  1. Clone the repository
  2. Start the application using the instructions
  3. Open a browser and visit the application URL (e.g. https://localhost:8000)
  4. Use the specified credentials to successfully authenticate
  5. Try using Postman instead of a browser
    - Try using the “Basic Auth” feature
    - Try to manually set the Authorization HTTP request header
  6. Observe the different responses when the Authorization header is not present, incorrectly constructed or the credentials are invalid

 

Conclusion

 

“Basic” HTTP Authentication is the simplest HTTP authentication scheme. It does not offer any security and has limitations, as discussed in the Security and Limitations sections.
The protocol is simple and the scheme is easy to implement.


Next time we will take a look at a more complex and secure authentication scheme.

 

Resources

 

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

  2. https://datatracker.ietf.org/doc/html/rfc7617

  3. https://en.wikipedia.org/wiki/Basic_access_authentication

  4. https://www.base64encode.org and https://www.base64decode.org