两只小蚂蚁

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::
HTTP Authentication

First Authentication and Authorization are different two concept.

 

Http Base Auth

Put user name and password in header which in base64 encoding.

 

 

HTTP Digest Auth

Like Http Base, user name and password encrpt with MD5 digest.

HTTPS Client Authentication

HTTPs & SSL. Client-certificate authentication is a more secure method of authentication than either BASIC or FORM authentication. 

Http OAuth

Instead of user name and password in authorization header, it's put token there.

Form base auth

      User input username and password, GET/POST command contains the content in request body instead of header. Server side check and response with session ID, the follow communication client's request will contain the ID in header.

    • Token Auth

       Almost same as Cookie auth, but server response a token instead of sessionID. 

Base64 details below:

I believe no one use below base64 authentication  in public web site.

Server side

When the server wants the user agent to authenticate itself towards the server, the server must respond appropriately to unauthenticated requests.

To unauthenticated requests, the server should return a response whose header contains a HTTP 401 Unauthorized status and a WWW-Authenticate field.

The WWW-Authenticate field for basic authentication is constructed as following:

WWW-Authenticate: Basic realm="User Visible Realm"

The server may choose to include the charset parameter from RFC 7617:

WWW-Authenticate: Basic realm="User Visible Realm" charset="UTF-8"

Client side

When the user agent wants to send authentication credentials to the server, it may use the Authorization field.

The Authorization field is constructed as follows:

  1. The username and password are combined with a single colon. (:). This means that the username itself cannot contain a colon.
  2. The resulting string is encoded into an octet sequence. The character set to use for this encoding is by default unspecified, as long as it is compatible with US-ASCII, but the server may suggest use of UTF-8.[7]
  3. The resulting string is encoded using a variant of Base64.
  4. The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.

For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l. Then the Authorization header will appear as:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

Authentication Schema

Basic Access Authentication

    base64-encoded, e.g. Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Digest Access Authentication

  MD5 , e.g. WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41“

 

posted on 2018-01-28 21:15  两只小蚂蚁  阅读(573)  评论(0编辑  收藏  举报