Basic Authentication Method

The basic access authentication method is used by the client to provide a username and password when executing the request.

Implementing the HTTP Basic authentication method provides access control to web resources using the simplest technique.

The basic authentication method sends the username and password in clear text over the network in a base64 encoded format.

This kind of transmission should be avoided for HTTP transport.

The transmission is unsafe if the request is not made through a secure SSL connection.

Basic HTTP authentication uses standard fields in the HTTP header.

How it works

On the Server Side
When a server receives an unauthenticated request it returns a response with the header that contains an HTTP 401 Unauthorized status and a WWW-Authenticate field.

The WWW-Authenticate field for basic authentication has the following construction:

WWW-Authenticate: Basic realm="User Visible Realm"

The server may choose to include the charset parameter from [rfc:7617 RFC] ][rfc:7617 7617]:

WWW-Authenticate: Basic realm=" User Visible Realm", charset="UTF-8" thus indicating that the server expects the client to use UTF-8 for encoding username and password.

HTTP Response requesting Basic Authentication

HTTP/1.0 401 Authorization Required
Date: Sat, 27 Nov 2004 10:18:15 GMT
WWW-Authenticate: Basic realm="Secure Area"

On the Client Side
To send authentication credentials to the server, the client can use the Authorization field.

The construction of the authorization field is based on the following principles:

  • The username itself cannot contain a colon. The username and password are combined with a single colon (:).
  • The resulting string is encoded into an octet sequence. The character set for this encoding is unspecified by default, as long as it is compatible with US-ASCII. The server may suggest the use of UTF-8 by sending the charset parameter.
  • The resulting string is encoded using a variant of Based64.
  • The authorization method and space (e.g. "Basic ") are then prepended to the encoded string.

The request would look something like:

GET /api/widgets/12345 HTTP/1.1
Host: localhost:8080
Authorization: Basic am9obkBzbWl0aC5jb206MTIzNDU2Nw==

The benefits of Basic Authentication are:

  • Using proxy servers
  • Being compatible with nearly every Internet browser
  • Having an access to resources that are not located on the IIS server.

Basic Authentication method has some drawbacks:

  • Information is transmitted over the network in clear text in an unencrypted format.
  • By default, users must have the logon locally right to use basic authentication.
  • Basic authentication is susceptible to replay attacks.

Among other HTTP methods, Basic Authentication is rarely recommended due to its security vulnerabilities.
Updated: Viewed: 5026 times