This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

The General HTTP Authentication Framework

Jump to: navigation, search


HTTP provides a general framework for access control and authentication, through an extensible set of challenge-response authentication schemes, that can be used by a server to challenge a client request and by a client to provide information about the client.

Authentication flow

General HTTP authentication flow

1. A client requests the server to access an authorized resource.

Client is anything that requests a resource. Example: Browser, web service
Server is an application that serves the client's request.
Resource can be any data/information. Example: HTML document, media files

2. The server requests the client to authenticate first.

The server responds to the client with a 401 (Unauthorized) response status and provides information on how to authenticate with a WWW-Authenticate response header containing at least one challenge.

3. The client prepares for the authentication.

The client checks the response status code and understands he needs to authenticate first.
Usually, the client presents a password prompt to the user to get the credentials.
Some modern applications hide/prevents the default password prompt using client-side JavaScript and show a login form to provide a rich user experience.
The client masks/transforms the credentials based on the HTTP authentication scheme it chose/programmed to.

4. The client sends the (processed)credentials to the server.

The client then issues the request to the server with an Authorization request-header field with the HTTP authentication scheme being used and the masked credentials.

5. The server validates the received credentials.

The validation process/algorithm depends on the HTTP authentication scheme being used.

6. The server informs the client about the authorization status.

If the validation succeeds then the server checks if the authenticated entity has the privilege to access the resource

Authentication schemes that are based on the general HTTP authentication framework

  1. Basic [RFC7617]
  2. Bearer[RFC6750]
  3. Digest[RFC7616]
  4. HOBA [RFC7486, Section 3]
  5. Mutual [RFC8120]
  6. Negotiate [RFC4559, Section 3]
  7. OAuth [RFC5849, Section 3.5.1]
  8. SCRAM-SHA-1 [RFC7804]
  9. SCRAM-SHA-256 [RFC7804]
  10. Vapid [RFC8292]



MDN: The general HTTP authentication framework

IANA Authentication Scheme Registry