← Lessons

quiz vs the machine

Gold1410

Networking

HTTP Authentication Schemes

How the WWW Authenticate challenge and Authorization reply work.

5 min read · core · beat Gold to climb

A Challenge and Response Framework

HTTP defines a general authentication framework. When a protected resource is requested without credentials, the server answers 401 Unauthorized and a WWW Authenticate header naming a scheme and a realm.

Replying with Credentials

The client retries with an Authorization header carrying the scheme name and credentials. The scheme decides the credential format.

  • Basic sends the user name and password joined and base64 encoded, so it must run over HTTPS.
  • Digest sends a hashed challenge response so the password never crosses the wire.
  • Bearer sends an opaque token, common with token based systems.

Realms and Scope

The realm labels a protection space. Credentials valid for one realm are not assumed valid for another, letting one server guard several areas separately.

A Caution on Basic

Basic offers no confidentiality on its own; the encoding is reversible. It is acceptable only on an encrypted connection.

Key idea

HTTP authentication is a challenge and response: a 401 with WWW Authenticate names a scheme and realm, and the client retries with an Authorization header whose format depends on Basic, Digest, or Bearer.

Check yourself

Answer to earn rating on the learn ladder.

1. Which status code begins an HTTP authentication challenge?

2. Why must the Basic scheme run over HTTPS?