Colon character in AuthenticationHeaderValue

Question

When reading about Basic Authentication I always find examples similar to this:

HttpClient sClient new HttpClient();
sClient.DefaultRequestHeaders.Authorization = 
  new AuthenticationHeaderValue("Basic",Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes("UserName:Password")));

To me this seems to mean the colon character ":" should not be used in passwords. Does this mean that the colon character should be forbidden for passwords and usernames?

Is this a general assumption for basic authentication? How to handle this in case you have an existing userbase with existing colon characters in the credentials.

Answer 1

Technically, : is forbidden in usernames: https://www.ietf.org/rfc/rfc2617.txt

To receive authorization, the client sends the userid and password,
separated by a single colon (":") character, within a base64 [7]
encoded string in the credentials.

  basic-credentials = base64-user-pass
  base64-user-pass  = <base64 [4] encoding of user-pass,
                   except not limited to 76 char/line>
  user-pass   = userid ":" password
  userid      = *<TEXT excluding ":">
  password    = *TEXT

Notably: RFC2617 doesn't say what to do if username contains a colon. Both IE and Firefox simply include it bare, probably the worst option.

If you have a username that contains a :, you should probably %-escape it to %3a to distinguish it from the delimiter. Whether or not the server supports that depends on the server.

Having said all that, HTTP Basic is a pretty terrible authentication scheme; using something that better protects the client's credentials is a better choice.