Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is the HTTP header for Authentication called Authorization?

Let me quote HTTP 1.1 RFC specification from www.w3.org.

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).

14.8 Authorization

A user agent that wishes to authenticate itself with a server usually, but not necessarily, after receiving a 401 response does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

Why the credentials intended to prove user identity (Authentication) passed in Authorization header?

like image 236
Eugene D. Gubenkov Avatar asked May 05 '15 19:05

Eugene D. Gubenkov


People also ask

Why is Authorisation token part of the header of the HTTP request?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.

What is the name of the authentication header?

The Authentication Header (AH) protocol provides data origin authentication, data integrity, and replay protection. However, AH does not provide data confidentiality, which means that all of your data is sent in the clear.

What is HTTP header based authentication?

Legacy applications commonly use Header-based authentication. In this scenario, a user (or message originator) authenticates to an intermediary identity solution. The intermediary solution authenticates the user and propagates the required Hypertext Transfer Protocol (HTTP) headers to the destination web service.

Does HTTP headers support authentication?

HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based around the use of the 401 status code and the WWW-Authenticate response header. The client sends the user name and password as unencrypted base64 encoded text.


1 Answers

One possibility is that it is talking about the authorization from the user's perspective, not the server's.

There are actually two authorizations going on:

  1. The user authorizing the client to act on their behalf.
  2. The server authorizing the user to access its resources.

If we assume the header is named after 1) then we have:

The user authorized the client to act on their behalf. That authorization goes in the Authorization header. The server then used the user's authorization of the client to authenticate the user (confirm the client is acting on behalf of the user). Now it knows who the user is, it will then do its own separate checks for 2), to see if the user is authorized to perform the request.

like image 178
Adam Millerchip Avatar answered Oct 21 '22 18:10

Adam Millerchip