Basic Authentication

Basic Authentication is a simple authentication scheme built into the HTTP protocol where a client sends encoded (base64) credentials (username and password) in the Authorization header of an HTTP request.

When accessing a secure web page, the browser sends a request with the header Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=, where dXNlcm5hbWU6cGFzc3dvcmQ= is the Base64 encoded string of username:password.

# Example of Basic Authentication in Python

import requests
from requests.auth import HTTPBasicAuth

# URL of the server
url = 'https://navidnaf.com/'

# Credentials
username = 'myUsername'
password = 'myPassword'

# Create a session to capture request headers
session = requests.Session()

# Prepare the request with Basic Authentication
request = requests.Request('GET', url, auth=HTTPBasicAuth(username, password))
prepared_request = session.prepare_request(request)

# Send the request
response = session.send(prepared_request)

# Print the request headers
print("Request Headers:")
for key, value in prepared_request.headers.items():
    print(f"{key}: {value}")

# Print the response headers
print("\nResponse Headers:")
for key, value in response.headers.items():
    print(f"{key}: {value}")

# Print the response content
print("\nResponse Content:")
print(response.text)

This code creates a session to capture the request headers, prepares the request with Basic Authentication, and then sends the request. It prints out both the request headers and the response headers, as well as the response content.

This authentication system is also known as HTTP Authentication. HTTP provides a general framework for access control and authentication.

Deep Dive

Reference for the Below Contents: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

RFC 7235 defines the HTTP authentication framework, which can be used by a server to challenge a client request, and by a client to provide authentication information.

The challenge and response flow works like this:

  1. The server responds to a client with a 401 (Unauthorized) response status and provides information on how to authorize with a WWW-Authenticate response header containing at least one challenge.

  2. A client that wants to authenticate itself with the server can then do so by including an Authorization request header with the credentials.

  3. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.

If a (proxy) server receives invalid credentials, it should respond with a 401 Unauthorized or with a 407 Proxy Authentication Required, and the user may send a new request or replace the Authorization header field.

If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the 403 Forbidden status code. Unlike 401 Unauthorized or 407 Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.

The Authorization and Proxy-Authorization request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the <type> is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.

Authentication Schemes

The general HTTP authentication framework is the base for a number of authentication schemes.

IANA maintains a list of authentication schemes, but there are other schemes offered by host services, such as Amazon AWS.

Authentication Scheme
What it is

Basic

Uses base64-encoded credentials for simple username and password authentication.

Bearer

Uses bearer tokens, which are opaque tokens used to access OAuth 2.0-protected resources.

Digest

Uses hashed credentials for more secure authentication, supporting SHA-256 and MD5 hashing (MD5 is not recommended).

HOBA

Uses digital signatures to authenticate, ensuring that the request originates from a specific client.

Mutual

Involves both client and server authenticating each other to establish a trusted connection.

Negotiate/NTLM

Uses a negotiation mechanism to select the authentication protocol, often used in Windows environments.

VAPID

Authorizes push notifications by proving ownership of the server sending the notifications.

SCRAM

Enhances password-based authentication by using a challenge-response mechanism with salted passwords.

AWS4-HMAC-SHA256

A secure authentication method for AWS services, using keyed-hash message authentication with SHA-256.

The "Basic" authentication scheme offers very poor security, but is widely supported and easy to set up.

As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.

Ref: (https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme)

Last updated