HTTP Basic/Digest Authentication、OAuth

HTTP Authentication

      auth-scheme    = token
      auth-param     = token "=" ( token | quoted-string )
      challenge      = auth-scheme 1*SP 1#auth-param

The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent
This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource
The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and MUST include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource

D:\projects\maui>curl -I http://ar-code.svn.engineyard.com/
HTTP/1.1 401 Authorization Required
Date: Fri, 09 Jan 2009 04:15:16 GMT
Server: Apache
WWW-Authenticate: Basic realm="Engine Yard SVN Cluster: ar-code"
Content-Type: text/html; charset=iso-8859-1

The authentication parameter realm is defined for all authentication schemes:

      realm       = "realm" "=" realm-value
      realm-value = quoted-string

A user agent that wishes to authenticate itself with an origin server--usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY do so by including an Authorization header field with the request
A client that wishes to authenticate itself with a proxy--usually, but not necessarily, after receiving a 407 (Proxy Authentication Required)--MAY do so by including a Proxy-Authorization header field with the request

   credentials = auth-scheme #auth-param

Basic Access Authentication Scheme
The "basic" authentication scheme is based on the model that the client must authenticate itself with a user-ID and a password for each realm
The realm value should be considered an opaque string which can only be compared for equality with other realms on that server

      challenge   = "Basic" realm
      credentials = "Basic" basic-credentials

      WWW-Authenticate: Basic realm="WallyWorld"

To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 encoded string in the credentials

      basic-credentials = base64-user-pass
      base64-user-pass  = <base64 encoding of user-pass, except not limited to 76 char/line>
      user-pass   = userid ":" password
      userid      = *<TEXT excluding ":">
      password    = *TEXT

      Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Digest Access Auhtenticaton Scheme
Basic Authentication Scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form
The Digest scheme challenges using a nonce value. A valid response contains a checksum (by default, the MD5 checksum) of the username, the password, the given nonce value, the HTTP method, and the requested URI
The WWW-Authenticate Response Header:

      challenge        =  "Digest" digest-challenge

      digest-challenge  = 1#( realm | [ domain ] | nonce |
                          [ opaque ] |[ stale ] | [ algorithm ] |
                          [ qop-options ] | [auth-param] )


      domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
      URI               = absoluteURI | abs_path
      nonce             = "nonce" "=" nonce-value
      nonce-value       = quoted-string
      opaque            = "opaque" "=" quoted-string
      stale             = "stale" "=" ( "true" | "false" )
      algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
                           token )
      qop-options       = "qop" "=" <"> 1#qop-value <">
      qop-value         = "auth" | "auth-int" | token

The Authorization Request Header:

       credentials      = "Digest" digest-response
       digest-response  = 1#( username | realm | nonce | digest-uri
                       | response | [ algorithm ] | [cnonce] |
                       [opaque] | [message-qop] |
                           [nonce-count]  | [auth-param] )

       username         = "username" "=" username-value
       username-value   = quoted-string
       digest-uri       = "uri" "=" digest-uri-value
       digest-uri-value = request-uri   ; As specified by HTTP/1.1
       message-qop      = "qop" "=" qop-value
       cnonce           = "cnonce" "=" cnonce-value
       cnonce-value     = nonce-value
       nonce-count      = "nc" "=" nc-value
       nc-value         = 8LHEX
       response         = "response" "=" request-digest
       request-digest = <"> 32LHEX <">
       LHEX             =  "0" | "1" | "2" | "3" |
                           "4" | "5" | "6" | "7" |
                           "8" | "9" | "a" | "b" |
                           "c" | "d" | "e" | "f"

The Authentication-Info header is used by the server to communicate some information regarding the successful authentication in the response

        AuthenticationInfo = "Authentication-Info" ":" auth-info
        auth-info          = 1#(nextnonce | [ message-qop ]
                               | [ response-auth ] | [ cnonce ]
                               | [nonce-count] )
        nextnonce          = "nextnonce" "=" nonce-value
        response-auth      = "rspauth" "=" response-digest
        response-digest    = <"> *LHEX <">

Example:

         HTTP/1.1 401 Unauthorized
         WWW-Authenticate: Digest
                 realm="testrealm@host.com",
                 qop="auth,auth-int",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"

         Authorization: Digest username="Mufasa",
                 realm="testrealm@host.com",
                 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
                 uri="/dir/index.html",
                 qop=auth,
                 nc=00000001,
                 cnonce="0a4f113b",
                 response="6629fae49393a05397450978507c4ef1",
                 opaque="5ccc069c403ebaf9f0171e9517f40e41"

The most serious flaw in Basic authentication is that it results in the essentially cleartext transmission of the user's password over the physical network

Before transmission, the username and password are encoded as a sequence of base-64 characters
For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64
Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly"

Digest Authentication does not provide a strong authentication mechanism, when compared to public key based mechanisms, for example
However, it is significantly stronger than (e.g.) CRAM-MD5, which has been proposed for use with LDAP, POP and IMAP (see RFC 2195)
It is intended to replace the much weaker and even more dangerous Basic mechanism
Digest authentication is basically an application of MD5 cryptographic hashing with usage of nonce values to prevent cryptanalysis

Any service in present use that uses Basic should be switched to Digest as soon as practical

OAuth
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a simple and standard method for desktop, mobile and web applications
WWW-Authenticate Header:

                WWW-Authenticate: OAuth realm="http://sp.example.com/"

Authorization Header:

                Authorization: OAuth realm="http://sp.example.com/",
                oauth_consumer_key="0685bd9184jfhq22",
                oauth_token="ad180jjd733klru7",
                oauth_signature_method="HMAC-SHA1",
                oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
                oauth_timestamp="137131200",
                oauth_nonce="4572616e48616d6d65724c61686176",
                oauth_version="1.0"

OAuth Core 1.0, the main protocol, was finalized in December
It is stable and ready to be implemented
Libraries are already available for many popular platforms such as PHP, Rails, Python, .NET, C, and Perl

评论

1 楼 andyjackson 2010-08-20  

大湿你好屌！！！