Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is the HTTP header for Authentication called Authorization?

Tags:

http

authentication

authorization

Let me quote HTTP 1.1 RFC specification from www.w3.org.

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).

14.8 Authorization

A user agent that wishes to authenticate itself with a server usually, but not necessarily, after receiving a 401 response does so by including an Authorization request-header field with the request. The Authorization field value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested.

Why the credentials intended to prove user identity (Authentication) passed in Authorization header?

like image 236
Eugene D. Gubenkov Avatar asked May 05 '15 19:05

Eugene D. Gubenkov

People also ask

Why is Authorisation token part of the header of the HTTP request?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.

What is the name of the authentication header?

The Authentication Header (AH) protocol provides data origin authentication, data integrity, and replay protection. However, AH does not provide data confidentiality, which means that all of your data is sent in the clear.

What is HTTP header based authentication?

Legacy applications commonly use Header-based authentication. In this scenario, a user (or message originator) authenticates to an intermediary identity solution. The intermediary solution authenticates the user and propagates the required Hypertext Transfer Protocol (HTTP) headers to the destination web service.

Does HTTP headers support authentication?

HTTP supports the use of several authentication mechanisms to control access to pages and other resources. These mechanisms are all based around the use of the 401 status code and the WWW-Authenticate response header. The client sends the user name and password as unencrypted base64 encoded text.

1 Answers

One possibility is that it is talking about the authorization from the user's perspective, not the server's.

There are actually two authorizations going on:

  1. The user authorizing the client to act on their behalf.
  2. The server authorizing the user to access its resources.

If we assume the header is named after 1) then we have:

The user authorized the client to act on their behalf. That authorization goes in the Authorization header. The server then used the user's authorization of the client to authenticate the user (confirm the client is acting on behalf of the user). Now it knows who the user is, it will then do its own separate checks for 2), to see if the user is authorized to perform the request.

like image 178
Adam Millerchip Avatar answered Oct 21 '22 18:10

Adam Millerchip
Sign in to Comment

Related questions

What are nested parameters in http?
View the arguments of a POST-Request in Google App Engine logs
Java: Receive a multipart HTTP response
Correct response to HTTP HEAD Request on HTTPS only site
CentOS VirtualBox 5 second latency on http requests
HTTP: error during reply after 200 OK status code
Is there a public website where I can test POST method? [closed]
Measure Spring RestTemplate HTTP request time
in HTTP mode, does node.js have substantial performance advantage over Java?
Correct HTTP Headers for Images?
Illegal characters in path depending on User-Agent?
Returning a list of javax.ws.rs.core.Response resulting in 500
Override content headers for MVC POST request
Koa's `ctx.status` not getting sent to client
NodeJS HTTP - listen on other port than 80
Why do I get java.net.SocketTimeoutException with OkHttp?
PHP PECL_HTTP vs cURL Extension
Robustly call a flaky API: proper error handling with Net::HTTP
WCF - Random client timeout when making multiple calls
In go, how to inspect the http response that is written to http.ResponseWriter?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!