Basic Authentication
Basic Authentication is a simple authentication scheme built into the HTTP protocol where a client sends encoded (base64) credentials (username and password) in the Authorization header of an HTTP request.
When accessing a secure web page, the browser sends a request with the header Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
, where dXNlcm5hbWU6cGFzc3dvcmQ=
is the Base64 encoded string of username:password
.
This code creates a session to capture the request headers, prepares the request with Basic Authentication, and then sends the request. It prints out both the request headers and the response headers, as well as the response content.
This authentication system is also known as HTTP Authentication. HTTP provides a general framework for access control and authentication.
Deep Dive
Reference for the Below Contents: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication
RFC 7235 defines the HTTP authentication framework, which can be used by a server to challenge a client request, and by a client to provide authentication information.
The challenge and response flow works like this:
The server responds to a client with a
401
(Unauthorized) response status and provides information on how to authorize with aWWW-Authenticate
response header containing at least one challenge.A client that wants to authenticate itself with the server can then do so by including an
Authorization
request header with the credentials.Usually a client will present a password prompt to the user and will then issue the request including the correct
Authorization
header.
If a (proxy) server receives invalid credentials, it should respond with a 401
Unauthorized
or with a 407
Proxy Authentication Required
, and the user may send a new request or replace the Authorization
header field.
If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403
Forbidden
status code. Unlike 401
Unauthorized
or 407
Proxy Authentication Required
, authentication is impossible for this user and browsers will not propose a new attempt.
The Authorization
and Proxy-Authorization
request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the <type>
is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.
Authentication Schemes
The general HTTP authentication framework is the base for a number of authentication schemes.
IANA maintains a list of authentication schemes, but there are other schemes offered by host services, such as Amazon AWS.
Basic
Uses base64-encoded credentials for simple username and password authentication.
Bearer
Uses bearer tokens, which are opaque tokens used to access OAuth 2.0-protected resources.
Digest
Uses hashed credentials for more secure authentication, supporting SHA-256 and MD5 hashing (MD5 is not recommended).
HOBA
Uses digital signatures to authenticate, ensuring that the request originates from a specific client.
Mutual
Involves both client and server authenticating each other to establish a trusted connection.
Negotiate/NTLM
Uses a negotiation mechanism to select the authentication protocol, often used in Windows environments.
VAPID
Authorizes push notifications by proving ownership of the server sending the notifications.
SCRAM
Enhances password-based authentication by using a challenge-response mechanism with salted passwords.
AWS4-HMAC-SHA256
A secure authentication method for AWS services, using keyed-hash message authentication with SHA-256.
The "Basic" authentication scheme offers very poor security, but is widely supported and easy to set up.
As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.
Ref: (https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme)
Last updated