Overview#
Basic Authentication Scheme is defined in
RFC 2617 and updated by
RFC 7235 for the
HTTP Authentication Framework which can be used by a
HTTP server to challenge a
client request and by a client to provide
authentication information.
The challenge-response flow works like this:
Usually a client will present a
password prompt to the
End-User and will then issue the request including the correct Authorization header.
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server. The server will service the request only if it can validate the userId and password for the protection space of the Request-URI.
There are no optional authentication parameters.
For Basic, the framework above is utilized as follows:
challenge = "Basic" realm
credentials = "Basic" basic-credentials
The same Basic Authentication Scheme mechanism can be used for
proxy authentication. In this case, it is an intermediate proxy that requires
authentication. As both
resource authentication and
proxy authentication can coexist, a different set of
HTTP Header Fields and
HTTP Status Codes are needed. In the case of proxies, the challenging status code is
HTTP 407 (Proxy Authentication Required), the
Proxy-Authenticate response header contains at least one challenge applicable to the
proxy, and the
Proxy-Authorization HTTP Request is used for providing the
credentials to the
Proxy Server.
There might be more information for this subject on one of the following: