https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=KajanOWASP - User contributions [en]2026-05-27T03:57:53ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=The_General_HTTP_Authentication_Framework&diff=252127The General HTTP Authentication Framework2019-06-05T17:11:10Z<p>Kajan: include the page in `Web Application Authentication Schemes` category</p>
<hr />
<div>==Introduction==<br />
HTTP provides a general framework for access control and authentication, through an extensible set of challenge-response authentication schemes, that can be used by a server to challenge a client request and by a client to provide information about the client.<br />
==Authentication flow==<br />
[[File:00-general-http-authentication-flow.png|frameless|General HTTP authentication flow]]<br />
<br />
1. A client requests the server to access an authorized resource.<br />
:Client is anything that requests a resource. Example: Browser, web service<br />
:Server is an application that serves the client's request.<br />
:Resource can be any data/information. Example: HTML document, media files<br />
2. The server requests the client to authenticate first.<br />
:The server responds to the client with a 401 (Unauthorized) response status and provides information on how to authenticate with a WWW-Authenticate response header containing at least one challenge.<br />
3. The client prepares for the authentication.<br />
:The client checks the response status code and understands he needs to authenticate first.<br />
:Usually, the client presents a password prompt to the user to get the credentials.<br />
:Some modern applications hide/prevents the default password prompt using client-side JavaScript and show a login form to provide a rich user experience.<br />
:The client masks/transforms the credentials based on the HTTP authentication scheme it chose/programmed to.<br />
4. The client sends the (processed)credentials to the server.<br />
:The client then issues the request to the server with an Authorization request-header field with the HTTP authentication scheme being used and the masked credentials.<br />
5. The server validates the received credentials.<br />
:The validation process/algorithm depends on the HTTP authentication scheme being used.<br />
6. The server informs the client about the authorization status.<br />
:If the validation succeeds then the server checks if the authenticated entity has the privilege to access the resource<br />
==Authentication schemes that are based on the general HTTP authentication framework==<br />
#Basic [[http://www.iana.org/go/rfc7617 RFC7617]]<br />
#Bearer[[http://www.iana.org/go/rfc6750 RFC6750]]<br />
#Digest[[http://www.iana.org/go/rfc7616 RFC7616]]<br />
#HOBA [[http://www.iana.org/go/rfc7486 RFC7486, Section 3]]<br />
#Mutual [[http://www.iana.org/go/rfc8120 RFC8120]]<br />
#Negotiate [[http://www.iana.org/go/rfc4559 RFC4559, Section 3]]<br />
#OAuth [[http://www.iana.org/go/rfc7617 RFC5849, Section 3.5.1]]<br />
#SCRAM-SHA-1 [[http://www.iana.org/go/rfc7804 RFC7804]]<br />
#SCRAM-SHA-256 [[http://www.iana.org/go/rfc7804 RFC7804]]<br />
#Vapid [[http://www.iana.org/go/rfc8292 RFC8292]]<br />
==References==<br />
[https://tools.ietf.org/html/rfc7235 RFC7235]<br />
<br />
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication MDN: The general HTTP authentication framework]<br />
<br />
[https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml IANA Authentication Scheme Registry]<br />
<br />
[[Category:Web Application Authentication Schemes]]</div>Kajanhttps://wiki.owasp.org/index.php?title=The_General_HTTP_Authentication_Framework&diff=252126The General HTTP Authentication Framework2019-06-05T17:08:53Z<p>Kajan: Create `General HTTP Authentication Framework` page</p>
<hr />
<div>==Introduction==<br />
HTTP provides a general framework for access control and authentication, through an extensible set of challenge-response authentication schemes, that can be used by a server to challenge a client request and by a client to provide information about the client.<br />
==Authentication flow==<br />
[[File:00-general-http-authentication-flow.png|frameless|General HTTP authentication flow]]<br />
<br />
1. A client requests the server to access an authorized resource.<br />
:Client is anything that requests a resource. Example: Browser, web service<br />
:Server is an application that serves the client's request.<br />
:Resource can be any data/information. Example: HTML document, media files<br />
2. The server requests the client to authenticate first.<br />
:The server responds to the client with a 401 (Unauthorized) response status and provides information on how to authenticate with a WWW-Authenticate response header containing at least one challenge.<br />
3. The client prepares for the authentication.<br />
:The client checks the response status code and understands he needs to authenticate first.<br />
:Usually, the client presents a password prompt to the user to get the credentials.<br />
:Some modern applications hide/prevents the default password prompt using client-side JavaScript and show a login form to provide a rich user experience.<br />
:The client masks/transforms the credentials based on the HTTP authentication scheme it chose/programmed to.<br />
4. The client sends the (processed)credentials to the server.<br />
:The client then issues the request to the server with an Authorization request-header field with the HTTP authentication scheme being used and the masked credentials.<br />
5. The server validates the received credentials.<br />
:The validation process/algorithm depends on the HTTP authentication scheme being used.<br />
6. The server informs the client about the authorization status.<br />
:If the validation succeeds then the server checks if the authenticated entity has the privilege to access the resource<br />
==Authentication schemes that are based on the general HTTP authentication framework==<br />
#Basic [[http://www.iana.org/go/rfc7617 RFC7617]]<br />
#Bearer[[http://www.iana.org/go/rfc6750 RFC6750]]<br />
#Digest[[http://www.iana.org/go/rfc7616 RFC7616]]<br />
#HOBA [[http://www.iana.org/go/rfc7486 RFC7486, Section 3]]<br />
#Mutual [[http://www.iana.org/go/rfc8120 RFC8120]]<br />
#Negotiate [[http://www.iana.org/go/rfc4559 RFC4559, Section 3]]<br />
#OAuth [[http://www.iana.org/go/rfc7617 RFC5849, Section 3.5.1]]<br />
#SCRAM-SHA-1 [[http://www.iana.org/go/rfc7804 RFC7804]]<br />
#SCRAM-SHA-256 [[http://www.iana.org/go/rfc7804 RFC7804]]<br />
#Vapid [[http://www.iana.org/go/rfc8292 RFC8292]]<br />
==References==<br />
[https://tools.ietf.org/html/rfc7235 RFC7235]<br />
<br />
[https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication MDN: The general HTTP authentication framework]<br />
<br />
[https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml IANA Authentication Scheme Registry]</div>Kajanhttps://wiki.owasp.org/index.php?title=File:00-general-http-authentication-flow.png&diff=252125File:00-general-http-authentication-flow.png2019-06-05T16:15:56Z<p>Kajan: </p>
<hr />
<div>Illustrates the main steps in a general HTTP authentication process.</div>Kajanhttps://wiki.owasp.org/index.php?title=File:HTTP_Authentication_Framework.jpg&diff=243400File:HTTP Authentication Framework.jpg2018-09-14T11:11:15Z<p>Kajan: </p>
<hr />
<div>The general flow of HTTP authentication schemes</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Web_Application_Authentication_Schemes&diff=243391Category:Web Application Authentication Schemes2018-09-14T03:10:19Z<p>Kajan: </p>
<hr />
<div>This category is used to mark articles that describe authentication schemes and frameworks.<br />
<br />
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.<br />
<br />
The secret can be one or more of the following. <br />
* some secret that you know(e.g. password)<br />
* something that only you have(e.g. a smart card)<br />
* something you are(e.g. fingerprint) <br />
* somewhere you are(particular IP address)<br />
<br />
Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.<br />
* How to verify if an entity is already authenticated or not?<br />
* How to inform an entity that it needs to authenticate first?<br />
* How are credentials transferred from one to other?<br />
* How are credentials verified?<br />
* How to inform an entity that it is successfully authenticated?<br />
* How can we avoid replay attacks?<br />
* How to ensure that we don't expose the plain credentials?<br />
* How do we achieve mutual authentication?<br />
* Are we going to ask the user to have different credentials to each system in the enterprise?<br />
* What if we need to scale up?<br />
<br />
An authentication scheme addresses such questions and provides an open standard to authenticate an entity.<br />
<br />
Time to time, authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. <br />
<br />
This category page contains pages related to various web application authentication schemes deployed so far.<br />
<br />
<br />
[[Category:Technology]]</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Web_Application_Authentication_Schemes&diff=243390Category:Web Application Authentication Schemes2018-09-14T03:08:41Z<p>Kajan: updated the description about the web application authentication schemes category page</p>
<hr />
<div>This category is used to mark articles that describe authentication schemes and frameworks.<br />
<br />
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.<br />
<br />
The secret can be one or more of the following. <br />
* some secret that you know(e.g. password)<br />
* something that only you have(e.g. a smart card)<br />
* something you are(e.g. fingerprint) <br />
* somewhere you are(particular IP address)<br />
<br />
Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.<br />
* How to verify if an entity is already authenticated or not?<br />
* How to inform an entity that it needs to authenticate first?<br />
* How are credentials transferred from one to other?<br />
* How are credentials verified?<br />
* How to inform an entity that it is successfully authenticated?<br />
* How can we avoid replay attacks?<br />
* How to ensure that we don't expose the plain credentials?<br />
* How do we achieve mutual authentication?<br />
* Are we going to ask the user to have different credentials to each system in the enterprise?<br />
* What if we need to scale up?<br />
<br />
An authentication scheme addresses such questions and acts as an open standard to authenticate an entity.<br />
<br />
Time to time, authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. <br />
<br />
This category page contains pages related to various web application authentication schemes deployed so far.<br />
<br />
<br />
[[Category:Technology]]</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Technology&diff=243389Category:Technology2018-09-14T03:01:14Z<p>Kajan: removed reference to authentication schemes category page from `Examples of Technologies` section</p>
<hr />
<div>{{Social Media Links}}<br />
<br />
This is a parent category that is used to hold categories for various technologies and platforms commonly used by web applications. These subcategories are used to mark articles with any applicable technologies. These tags will help when searching for applicable articles in the OWASP wiki.<br />
<br />
==Examples of Technologies==<br />
Technologies<br />
*[[:Category:File Systems|File Systems]]<br />
*[[:Category:IO|IO]]<br />
*[[:Category:Database|Database]]<br />
<br />
Platforms/Languages<br />
*[[:Category:Java|Java]]<br />
*[[:Category:.NET|.NET]]<br />
*[[:Category:PHP|PHP]]<br />
*[[:Category:C|C,C++]]<br />
<br />
For example, an article on SQL injection in J2EE would be tagged with [[:Category:Database]] and [[:Category:Java]] as well as any other applicable categories like vulnerabilities and countermeasures.<br />
<br />
[[Category:Article Type]]</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Web_Application_Authentication_Schemes&diff=243388Category:Web Application Authentication Schemes2018-09-14T02:58:33Z<p>Kajan: /* Overview */</p>
<hr />
<div>This category is used to mark articles that describe authentication schemes and frameworks.<br />
<br />
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.<br />
<br />
The secret can be one or more of the following. <br />
* some secret that you know(e.g. password)<br />
* something that only you have(e.g. a smart card)<br />
* something you are(e.g. fingerprint) <br />
* somewhere you are(particular IP address)<br />
<br />
Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.<br />
* How to verify if an entity is already authenticated or not?<br />
* How to inform an entity that it needs to authenticate first?<br />
* How are credentials transferred from one to other?<br />
* How are credentials verified?<br />
* How to inform an entity that it is successfully authenticated?<br />
* How can we avoid replay attacks?<br />
* How to ensure that we don't expose the plain credentials?<br />
* How do we achieve mutual authentication?<br />
* Are we going to ask the user to have different credentials to each system in the enterprise?<br />
* What if we need to scale up?<br />
<br />
An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. <br />
<br />
This category page contains pages related to authentication schemes and frameworks.<br />
<br />
<br />
[[Category:Technology]]</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Web_Application_Authentication_Schemes&diff=243372Category:Web Application Authentication Schemes2018-09-13T19:42:44Z<p>Kajan: added overview to the web application authentication schemes category page</p>
<hr />
<div>==Overview==<br />
<br />
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from ''identification'' in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.<br />
<br />
The secret can be one or more of the following. <br />
* some secret that you know(e.g. password)<br />
* something that only you have(e.g. a smart card)<br />
* something you are(e.g. fingerprint) <br />
* somewhere you are(particular IP address)<br />
<br />
Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.<br />
* How to verify if an entity is already authenticated or not?<br />
* How to inform an entity that it needs to authenticate first?<br />
* How are credentials transferred from one to other?<br />
* How are credentials verified?<br />
* How to indicate successful authentication?<br />
* How can we avoid replay attacks?<br />
* How to ensure that we don't expose the plain credentials?<br />
* How do we achieve mutual authentication?<br />
* Are we going to ask the user to have different credentials to each system in the enterprise?<br />
* What if we need to scale up?<br />
<br />
An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. Below you can find details about them. Some schemes are based on a certain framework. So we first describe the framework and then the schemes.</div>Kajanhttps://wiki.owasp.org/index.php?title=Category:Technology&diff=243371Category:Technology2018-09-13T19:20:44Z<p>Kajan: added a new category to index comprehensive list of web application authentication schemes</p>
<hr />
<div>{{Social Media Links}}<br />
<br />
This is a parent category that is used to hold categories for various technologies and platforms commonly used by web applications. These subcategories are used to mark articles with any applicable technologies. These tags will help when searching for applicable articles in the OWASP wiki.<br />
<br />
==Examples of Technologies==<br />
Technologies<br />
*[[:Category:File Systems|File Systems]]<br />
*[[:Category:IO|IO]]<br />
*[[:Category:Database|Database]]<br />
*[[:Category:Web Application Authentication Schemes|Web Application Authentication Schemes]]<br />
<br />
Platforms/Languages<br />
*[[:Category:Java|Java]]<br />
*[[:Category:.NET|.NET]]<br />
*[[:Category:PHP|PHP]]<br />
*[[:Category:C|C,C++]]<br />
<br />
For example, an article on SQL injection in J2EE would be tagged with [[:Category:Database]] and [[:Category:Java]] as well as any other applicable categories like vulnerabilities and countermeasures.<br />
<br />
[[Category:Article Type]]</div>Kajan