First Authentication and Authorization are different two concept.
Http Base Auth
Put user name and password in header which in base64 encoding.
HTTP Digest Auth
Like Http Base, user name and password encrpt with MD5 digest.
HTTPS Client Authentication
HTTPs & SSL. Client-certificate authentication is a more secure method of authentication than either BASIC or FORM authentication.
Http OAuth
Instead of user name and password in authorization header, it's put token there.
Form base auth
-
-
Cookie Auth
-
User input username and password, GET/POST command contains the content in request body instead of header. Server side check and response with session ID, the follow communication client's request will contain the ID in header.
-
-
Token Auth
-
Almost same as Cookie auth, but server response a token instead of sessionID.
Base64 details below:
I believe no one use below base64 authentication in public web site.
Server side
When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.
To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.
The WWW-Authenticate field for basic authentication is constructed as following:
WWW-Authenticate: Basic realm="User Visible Realm"
The server may choose to include the charset parameter from RFC 7617:
WWW-Authenticate: Basic realm="User Visible Realm" charset="UTF-8"
Client side
When the user agent wants to send authentication credentials to the server, it may use the Authorization field.
The Authorization field is constructed as follows:
- The username and password are combined with a single colon. (:). This means that the username itself cannot contain a colon.
- The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8.[7]
- The resulting string is encoded using a variant of Base64.
- The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.
For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
Authentication Schema
Basic Access Authentication
base64-encoded, e.g. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Digest Access Authentication
MD5 , e.g. WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41“
