What is and how works the Basic Authentication scheme? (HTTP)

About

Basic Access Authentication is an Authentication mechanism for HTTP request.

To be authenticated, the request should have:

Example

Authorization: Basic dXNlcjpwYXNzd29yZA==

where:

  • Authorization is the authorization header
  • Basic dXNlcjpwYXNzd29yZA== is the value where:
    • dXNlcjpwYXNzd29yZA== is an example of Base64 output of username:password where:
      • username is the username of the user
      • password can be:

Oauth encode them both using the application/x-www-form-urlencoded encoding algorithm 1)

Security: HTTPS mandatory

HTTPS is always used in conjunction with Basic Authentication.

Why? Because Basic access authentication uses the Base64 encoding. It is a public reversible encoding scheme, meaning that you can decrypt the value without any secret.

You should then encrypt the network traffic with HTTPS (TLS) so that the whole request is not readable by a man in the middle

Clients

How to make a Browser ask for credentials?

You can ask a browser to take care of the user/password dialog prompt.

Sequences:

In a sequence diagram:

sequenceDiagram participant User participant Browser participant Server User->>Browser: Enter URL in the browser or click a link Browser->>Server: Send GET HTTP Request Server->>Browser: Return 401 status with WWW-Authenticate Header Browser->>User: Enter your credentials in this form User->>Browser: Done Browser->>Server: Send GET HTTP Request with HTTP authorization header Server->>Browser: Validated, here, the HTML page (or any other resources) Browser->>User: Load the HTML page and shows it to the User



Soap UI

In Soap UI, you can enter the credentials in the Auth tab.

Soap Ui Basic Authentication

Documentation / Reference

1)
Oauth - x-www-form-urlencoded - Appendix B




Discover More
Authentication - HTTP Digest Access Authentication

Digest access authentication is an http authentication method based on authorization entry. It is intended (as a security trade-off) to replace unencrypted HTTP basic access authentication. It is not,...
Authentication - Method / Protocol / Scheme

The authentication methods / construct / protocol validates the identity of a user (ie validates who you are). The method is implemented by a (identify|authentication) provider. In the traditional...
Map Of Internet 1973
File Transfer - Wget

wget is a headless browser command line. It's most used to download files from the Web but you can also download/mirror a whole website. It supports the HTTP, HTTPS, and FTP protocols curl ...
Http - Authorization Header (authentication entries)

authorization is a header that contains credentials to authenticate a user known also as Authentication entry. In the request, you would see the following [header|header]] The basic authentication...
Oauth
Oauth - Client Authentication

authentication method for a client in Oauth. The client MUST NOT use more than one authentication method in each request. Client authentication is used for: Enforcing the binding of refresh tokens...
Oauth
Oauth - Flow (Abstract Protocol Flow)

The abstract OAuth 2.0 flow describes the interaction between the four roles. For each type of grant, you got a flow: Type / Flow Description Client Type (Public / Private) Direction Type Redirection...
Web Service - Representational State Transfer (REST|RESTful) Web services

Representational State Transfer (REST) Web services, or “RESTful” Web services describes any simple interface that transmits data over a standardized interface (such as HTTP) without an additional...
What are the HTTP Authentication schemes and methods?

This page lists the HTTP authentication schemes and the HTTP components that they used Via the Http Authorization Header: Basic Bearer Digest Others: DPoP HOBA 7486rfc 7486, Section 3...
What is Base64? (Cryptography Cipher)

Base64 is a cipher (without key and reversible) that converts (encode) a data (message) in 64 characters of the ASCII string. See also the Google...



Share this page:
Follow us:
Task Runner