Overview#Basic Authentication Scheme is defined in RFC 2617 and updated by RFC 7235 for the HTTP Authentication Framework which can be used by a HTTP server to challenge a client request and by a client to provide authentication information.
The challenge-response flow works like this:
- The server responds to a client with a HTTP 401 (Unauthorized) HTTP Response Header status and provides information on how to authorize with a WWW-Authenticate HTTP Response HTTP Header Field containing at least one challenge.
- A client that wants to authenticate itself with a server can then do so by including an Authorization Header HTTP Request Header HTTP Header Field with the credentials.
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server. The server will service the request only if it can validate the userId and password for the protection space of the Request-URI.
There are no optional authentication parameters.
For Basic, the framework above is utilized as follows:
challenge = "Basic" realm credentials = "Basic" basic-credentials