HTTP Authentication with SASLARPA2.netHaarlebrink 5EnschedeOverijssel7544 WPThe Netherlandsrick@openfortress.nlMost application-level protocols standardise their authentication
exchanges under the SASL framework. HTTP has taken another course, and
often ends up replicating the work to allow individual mechanisms.
This specification adopts full SASL authentication into HTTP.HTTP has historically followed its own path for client authentication,
while many other end-user protocols standardised on SASL;
examples of SASL protocols include SMTP, IMAP, POP, XMPP, LDAP, AMQP and MQTT.
This specification introduces SASL to HTTP, so it may share in
past and future work done for SASL in general.Among the work that could be shared is backend authentication integration,
which is possible due to protocol-independent SASL exchanges for any given
method, making it easy to take them out of one protocol and inserting them
into another. Although HTTP has adopted several SASL-compatible authentication
methods, it uses various notations and so it still needs method-specific
support at the HTTP level to translate them to a SASL backend.In front-ends, a similar situation has arisen. The varying syntaxes
for authentication methods have made it difficult to rely on support in
most or all HTTP clients. When such clients could externalise their
SASL handling to generic software such as a SASL library, then any extension
to a library automatically spills over into the HTTP sphere. It is common
for developers of web clients to also produce email clients, so a shared
code base (and credential store) is not difficult to imagine.Sharing of authentication mechanisms is beneficial in both directions.
HTTP benefits by being able to use anything from
strong password mechanisms without explicit
support in applications,
up to GS2 mechanisms
with channel binding
to TLS
based on pinning either the certificate for the TLS server or even a
unique part of the individual TLS connection; for instance Kerberos5
currently uses Negotiate authentication which is not
as secure as GS2-KRB5-PLUS over SASL.SASL also benefits; had it been the norm for HTTP,
then the work to pass SAML over it would
probably have been done immediately. In fact, HTTP can still benefit from
receiving standardised SAML20 inquiries over SASL, because it resolves the
need for configuration of initiation paths and practices. Also, it removes
authentication data from URIs, where they are not ideally placed.In terms of security for HTTP applications, it appears beneficial to
have very good authentication capabilities in the layers below the
application; this is specifically true for applications developed in
HTML and JavaScript, which tend to load code from various places,
including code that is not always in the end user's interest; since it
already is a concern what identity information passes through these
applications, it is not advisable to use credentials in those
places. The HTTP layer is in a better position to take control over these
assets, at the protocol levels of HTTP and TLS, and conceal credentials
and possibly also identity from applications running on top. Inasfar
as tokens are needed, they can be derived from session keys using
generally accepted key derivation schemes, but the session keys can
be isolated from dynamic layers above HTTP.This specification integrates the SASL framework
into mainstream HTTP , .
The SASL Authentication scheme follows the general structure for
HTTP Authentication . It uses the WWW-Authenticate
and Proxy-Authenticate headers in responses from web servers and web
proxies, respectively, and correspondingly the Authorization and
Proxy-Authorization request header to answer to requests.The SASL service name for the following embedding of SASL is HTTP;
contrary to most other service names, it is spelled in uppercase,
in line with what has become general practice in Kerberos and GSSAPI.Since SASL prescribes channel binding to occur relative to TLS instead
of to the application protocol, we can add that when the HTTPS transport
is used. Whether channel binding is used SHOULD remain a
configuration choice in HTTP software, as it might interfere with
intentional HTTPS proxying. Unintended proxying on the other hand,
might lead to tapping of credentials under certain SASL mechanisms,
and it may be considered helpful to prevent such situations by
requiring channel binding for those situations. HTTP in general allows
a user session to hop between connections, and browsers are likely to do
this; to support this, the support of tls-server-end-point channel
binding [Section 4 of ] is RECOMMENDED.
Specific HTTP clients may exercise more control over connections
to achieve stronger security; for those use cases, tls-unique
channel binding [Section 3 of ] is RECOMMENDED.
Generic web servers SHOULD support both forms of channel binding.This section defines a few names for HTTP request and response
messages, to be used in the remainder of this specification.Initial Responses are HTTP responses that normally set a status code 401 or 407,
and that are sent when the HTTP server decides to initiate an authentication
exchange. In addition, the server MAY send Initial Responses in other
responses, to indicate to the client that it MAY try again to
achieve better results [Section 4.1 of ].Initial Requests are those HTTP requests that a client sends to initiate
a fresh SASL authentication. The identity SHOULD be selected by the user
independently from the URI; prior settings MAY however be remembered by a
client for the combination of resource authority (scheme, host and possibly
a separately communicated resource user name) with the server-sent realm
string. The server can support a mixture of client identities for various
roles or access levels through variation of realm strings. There is no
current practice of server-side resource names in HTTP, but the generic
URI schema presents this logic and it is easy to imagine an HTTP User header
that a client could support.Intermediate Responses are HTTP responses to SASL authentication,
with a status code set to 401 or 407.
Intermediate Requests are those HTTP requests that a client sends to
continue a SASL authentication after an Intermediate Response.Positive Responses set a 200 status code to depict success. Information
in this response is provided in an Authentication-Info or
Proxy-Authentication-Info header
instead of the headers
used in Initial Responses and Intermediate Responses .
Proper interpretation of a Positive Response requires client state
indicating that SASL authentication was used, or else the optional fields are
not completely reliable information sources; cryptographic markers in the
c2c field MAY be used to overcome this in a manner that defies abuse by
rogue servers.Negative Responses also set a 401 or 407 status code and will often
return the client to an earlier state that it recognises as one it has
tried before. These responses should therefore offer authentication to
start again. In contrast to the Initial Response, there is now a c2c
field that helps the client evaluate the request.The following fields, defined in upcoming sections, MUST and MAY be present
in HTTP authentication exchanges for SASL:Data for SASL is transported in the following fields:
holds SASL token data from client to server.
This field is transmitted with base64 encoding.
The field is absent when the SASL client sends no token.
holds SASL token data from server to client.
This field is transmitted with base64 encoding.
The field is absent when the SASL server sends no token.
holds opaque server data which the client MUST reflect in
Intermediate Requests and, when responding to an
Initial Response, in the Initial Request.
This is a necessity for a stateless HTTP Authentication framework
[Section 5.1.2 of ]. It MAY be used
in a Positive Response to pass a cacheable
authentication token in a future Initial Request.The following fields support SASL within the HTTP Authentication Framework:
optionally names a scope of authorisation under the combination
of scheme, server host name and possibly a HTTP user to implement
the semantics of the generic URI username for resource selection.
The realm does not necessarily match a domain name, which is used
elsewhere as a realm notation.
In an Initial Response, the field is filled with a
space-separated list of SASL mechanism names;
In an Initial Request, the client chooses one SASL mechanism
name.When an HTTP server sends a Positive Response, it MAY include
an "s2s" field. If it does this, then it should be prepared to accept
the field value for authentication in an Initial Request. However,
credentials can expire or fall in disgrace for other reasons, so
the server MAY still choose to reject the provided field.When an HTTP client receives a Positive Response with an
"s2s" field, it MAY memorise the fields for future reuse in an
Initial Request, either with or without preceding Initial Response
from the server. The HTTP client MUST use the realm as part of the
decision which cached result to use, but it MAY extrapolate the
results from one resource retrieval in an attempt to authenticate
another.When cached fields result in a Negative Response then the
HTTP client SHOULD remove the failing cache entry, and it SHOULD
try again by going through a full SASL authentication cycle.
The stateless nature of HTTP authentication is helpful in the
sense that a new Initial Request can be sent to an older
Initial Response.HTTP does not define a mechanism to specifically select the
user as an authoritative resource name space on the server. Local
syntax conventions exist, but lack universally reliable semantics.
Basic authentication has been used to this effect, but this
conflates the client identity with the server-side name space,
which is not necessarily the same.To allow HTTP servers to zoom in on user-specific information,
the User header is hereby introduced. Its syntax matches the
userinfo part of a URI, up to but excluding any colons in it:
The value of the header MUST be percent-decoded before the
server can use it to identify a local user.The User header MAY be sent by clients, and HTTP servers
MAY ignore it for any reason, including local user identities
that do not comply to a more restrictive local user name
syntax.When an HTTP server makes use of the User header, it MUST
include a Vary header in its response, with either a single "*"
in it or the name "User". This informs caches that the response
must be considered specific to the User header value in the
matching request.The User header may be used with or without any form of
authentication. When used with authentication, the value of
the percent-decoded header is considered part of the authority
component of the resource, and therefore of the naming scope
for the realm. Clients can use this refined notion of realm
to select an authentication identity; when the value is known
early enough, this may even help to select an X.509 client
certificate. Note that the User header might be used together
with the aforementioned practice of Basic authentication, but
it can also replace it with an even simpler mechanism to
free up the authentication exchange for HTTP SASL.The distinction of a client-side user from a server-side
user can benefit the use of credential schemes that are not
tied to the HTTP server. A specific example of this is the
current work on realm crossover with GS2-SXOVER-PLUS. The
use of such a mechanism may offload security concerns from
the application layer. This section is non-normative.When an HTTP server receives a request for a protected page, it will send an Initial Response to ask for authentication with a special status code 401; for proxy access that would be 407, and header names change accordingly. Stripped down to the bare essentials, the server sends (this section adds whitespace for clarity)
The server offers SCRAM-* and GS2-KRB5 mechanisms. The variants with -PLUS provide additional channel binding, to ensure that authentication is specific to the current HTTPS connection, thus avoiding replay of the session across connections. Clients aware of HTTP connections may use connection-specific channel binding (tls-unique) while those that abstract from the connections must resort to weaker name-based channel binding (tls-server-end-point).The server might have additionally offered the ANONYMOUS mechanism to allow the client to select "guest mode" access; the interaction would continue as authenticated, but presumably with limited access to HTTP resources and continued WWW-Authenticate headers to continue to offer authentication to improve resource information content. The server might have offered EXTERNAL to allow the client to incorporate a TLS credential for authentication and possibly change to an authorization identity. The server might have offered GS2-SXOVER-PLUS if it is willing to connect to the client's home realm over Diameter, and thereby support realm crossover of SASL credentials.The client initiates the SCRAM-SHA-256-PLUS mechanism, and to that end sends an Initial Request (this section shows square brackets around text that is transmitted with base64-encoding)
This mechanism is initiated by the client, hence the inclusion of the c2s token in the Initial Request. The contents of this field are specific to the selected mechanism, so SCRAM-SHA-256-PLUS in this case.The SCRAM mechanism implementation is now initiated with the c2s token, and the server produces a followup challenge in a s2c token. To be able to validate future client messages against server-side state, it includes such state in an s2s token. This token is presumably protected from abuse with a signature and/or encryption, and it would likely identify the selected mechanism to validate during later rounds. The server packs all this in an Intermediate Response
Given that all server state is contained in this message, the client is free at any time to give up authentication and perhaps try another method. Normally however, it would proceed with the ongoing transaction.The SCRAM mechanism continues with another round. The client engages in the prescribed cryptographic computations and packs an Intermediate Request along with updated state in the new c2s token
When the client has performed authentication properly, as determined by a server-side check of the c2s response token with the prior state in the s2s token, it can send a Positive Response along with the requested resource
The s2s token in a Positive Response is an optional extension. It is presented by the server to allow the client to speed up authentication in future requests. The client may send it whenever the server asks for the same realm string under the same scheme and authority; the client may make proactive assumpions about the realm string for new requests. Authentication must never be reused in another context than bound by channel binding. When used, the client immediate sends an Intermediate Response holding
The server always has an option to refuse repeated authentication and forcing the client into a new authentication round. One reason for this could be that a session timed out. Another might be that the client is trying to use a credential outside a scope set by channel binding.It is not generally safe for SASL mechanisms to
exchange c2s and s2c messages over unprotected transports. Furthermore,
the SASL exchange may be at risk of tampering when the sequence of
HTTP messages is not secured to form one stream. This means that a
secure transport layer must be used, like TLS. The termination of such
a secure layer MUST also terminate any ongoing SASL handshakes.The s2s field MUST be protected against tampering by rogue
peers, and such
protection also protects against tampering by rogue intermediates when
using an unprotected transport. In addition, but dependent on the
mechanism used, the s2s field may also
need encryption to conceal their data from peers and intermediates.SASL EXTERNAL can be a very efficient mechanism to combine with a
secure transport layer if that includes authentication. This may be the case
for TLS, especially when client-side authentication is deployed.
Mechanisms other than EXTERNAL should take into account that a relation
may exist between identities negotiated in the protective layer and the
SASL exchange over HTTP. For example, a login account may be exchanged
for an alias or group identity.Channel binding is available in some SASL mechanisms. When used with
HTTP SASL over TLS, it binds to the TLS channel.
When doing so, it is vital that either there be no renegotiation of the
TLS handshake, or both secure renegotiation
and the extended master secret
are used.The User header field as defined herein is orthogonal to issues of
authentication and authorisation, and adds no security concerns.This specification extends the "Hypertext Transfer Protocol (HTTP)
Authentication Scheme Registry" with an "Authentication Scheme Name"
SASL, referencing this specification.This specification defines an additional entry in the registry
"Generic Security Service Application Program Interface (GSSAPI)/Kerberos/Simple Authentication and Security Layer (SASL) Service Names"
namely:
The capitalisation of the service name has historic origins and is now the
preferred spelling for reasons of compatibility.Please add the following entry to the Message Headers registry:
-->
We define a number of variables that SHOULD be passed
from an HTTP SASL stack (and from User header processing)
to applications run on top of it. The intention of
defining these is to obtain maximum interoperability between
these layers of software.The following variables MUST NOT be available until
SASL authentication is successful; it would be available
when the server could send a 200 OK response:
is only "yes" (without the
quotes) when a client is authenticated
to the current resource. It never has
another value; it is simply undefined when not
secured by SASL. is the realm for which the secure
exchange succeeded. A realm is not always used,
because sites only need it when there are more than
one in the same name space. When undefined in the
SASL flow, this variable will not be set. is the client identity as confirmed through
SASL authentication. Its content is formatted like
an email address, and includes a domain name. That
domain need not be related to the web server; it is
possible for a web server to welcome foreign clients. indicates the mechanism used, and
is one of the standardised SASL mechanism names.
It may be used to detect the level of security. holds the accepted s2s field, and
could be used as a random session identifier. It
would normally be encrypted information. is a prefix for extra information that
the server may extract from the s2s field in
the HTTP SASL protocol flow. This depends on the
authentication stack used in the web server.The following variable SHOULD be available while processing
a request with a User header with locally acceptable syntax:
gives the HTTP User header value
after syntax checking and percent-decoding. If used at all,
it MUST be treated as a resource name space selector.
This header does not describe the authenticated client identity,
which is usually passed in a variable REMOTE_USER.Thanks to Henri Manson for making the first implementation
of this specification and for feedback on the header formats.
The specification also benefited from input by Daniel Stenberg.This work was supported with an open source development fund
from NLNet.