Overview#

In the context of an HTTP transaction, HTTP Basic Authentication is an Authentication Method for an HTTP user-agent to provide a user name and password when making a HTTP Request.

Basic Authentication Scheme implementation is the simplest technique for enforcing Access Controls to web resources because it doesn't require cookies, session identifier and login pages. Rather, Basic Authentication Scheme uses static, standard HTTP Header Fields which means that no handshakes have to be done in anticipation.

When the user-agent wants to send the server authentication credentials it may use the Authorization Header [1]

Server-side#

Unauthenticated requests should return a response whose header contains a HTTP 401 Not Authorized status and a WWW-Authenticate field.

The WWW-Authenticate HTTP Header Field for basic authentication (used most often) is constructed as following:

WWW-Authenticate: Basic realm="nmrs_m7VKmomQ2YM3:"

Client-side#

Username and password are combined into a string "username:password". Note that username cannot contain the ":" character.

The resulting string is then encoded using the RFC 2045-MIME variant of Base64, except not limited to 76 char/line.

The authorization method and a space i.e. "Basic " is then put before the encoded string.

For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the field is formed as follows:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

More Information#

• Authorization Server
• Basic Authentication Scheme
• Channel Binding
• JWT Authentication
• Resource Owner Password Credentials Grant
• Token Introspection Endpoint
• UserInfo Request

• [#1] - Basic Access Authentication - based on data observed:2015-05-18