BLOG
What is authentication?
Authentication is the process of determining whether a client should be given access to a resource. The HTTP protocol supports multiple authentication schemes.
Important HTTP headers
Before we take a look at the “Basic” HTTP Authentication scheme, let's take a look at two important HTTP headers.
WWW-Authenticate
WWW-Authenticate is a HTTP response header that a server uses to provide challenges that the client has to solve in order to be authenticated.
Authorization
Authorization is a HTTP request header that a client uses to provide solutions to authentication challenges.
The protocol
The client
In the "Basic" HTTP Authentication scheme the client sends the credentials with every HTTP request. The credentials are sent in the Authorization HTTP header.
The value of the Authorization HTTP header should be constructed as follows:
Example when the username is "user" and the password is "pass":
The server
In the "Basic" HTTP Authentication scheme the server should check the Authorization HTTP header of every HTTP request and act as follows:
- If the Authorization HTTP header is missing or its value in not properly constructed, the server should respond with a response containing:
- If the credentials are invalid, the server should respond with the 403 Forbidden HTTP status code.
- If the credentials are valid, the server should serve the request.
Security
The client sends base64 encoded credentials. As base64 encoding can be reversed, the credentials are not secured. As a result, "Basic" HTTP Authentication does not provide any security and should be used with HTTPS.
Limitations
"Basic" HTTP Authentication implementation
This repository contains a simple Node.js implementation of the "Basic" HTTP Authentication scheme. If you are interested in trying it out, follow these steps:
Conclusion
“Basic” HTTP Authentication is the simplest HTTP authentication scheme. It does not offer any security and has limitations, as discussed in the Security and Limitations sections.
The protocol is simple and the scheme is easy to implement.
Next time we will take a look at a more complex and secure authentication scheme.
Resources