Introduction
I originally planned to continue sharing knowledge related to Kerberos, but the Kerberos protocol is quite complex and may require dozens of articles to fully describe. Therefore, I thought it would be better to intersperse discussions of other common network authentication protocols. The preliminary plan includes the following: HTTP Basic Auth, Digest Auth, OAuth, AWS Signature.
If you would like to learn about other authorization protocols, feel free to leave a comment at the bottom of the article. I welcome discussions!
Content Begins:
Note: If you use Basic Authentication in a real project, do not use HTTP; use HTTPS instead.
This is because Basic Authentication requires the username and password to be transmitted in plaintext over the network. If HTTPS is not used, your password will be exposed.
Basic Authentication directly verifies the client’s username and password.
Authentication Process
- Server Side: When the client needs to access a server resource that requires Basic Authentication, the server responds with a 401 response, including the
<span>WWW-Authenticate</span>header.
WWW-Authenticate: Basic realm="WallyWorld"
Realm: protection space.
- Client: After receiving the 401 response from the server, the client retrieves the username and password from the upper application/end user, then resends the current request with the
<span>Authorization</span>header.
// user=Aladdin, password=open sesame
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The calculation method for “QWxhZGRpbjpvcGVuIHNlc2FtZQ==” is as follows:
Base64(Aladdin + ":" + open sesame)
-
Server: After receiving the request with the
<span>Authorization</span>header, the server verifies the username and password.If verification is successful, it processes the current request and returns the result.
If verification fails, it returns a 401.
Example
--------------------------------------------
Client requests access to /auth/basic/test.txt
--------------------------------------------
GET /auth/basic/test.txt HTTP/1.1
Host: 192.168.0.152
Connection: keep-alive
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
--------------------------------------------
Server requires authorization to access /auth/basic/test.txt
--------------------------------------------
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/10.0
WWW-Authenticate: Basic realm="192.168.0.152"
Date: Tue, 14 Mar 2023 06:25:17 GMT
Content-Length: 1293
<html body ......>
--------------------------------------------
Client resends the request with Basic Authentication information
--------------------------------------------
GET /auth/basic/test.txt HTTP/1.1
Host: 192.168.0.152
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic QWEXAMPLECREDNETIALNg==
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
--------------------------------------------
Authentication successful, returning content of /auth/basic/test.txt
--------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 09 Mar 2023 01:34:51 GMT
Accept-Ranges: bytes
ETag: "c8618d572752d91:0"
Server: Microsoft-IIS/10.0
Date: Tue, 14 Mar 2023 06:25:24 GMT
Content-Length: 5
....