What encoding should I use for HTTP Basic Authentication?

by

Original spec – RFC 2617

RFC 2617 can be read as “ISO-8859-1” or “undefined”. Your choice. It’s known that many servers use ISO-8859-1 (like it or not) and will fail when you send something else. So probably the only safe choice is to stick to ASCII.

For more information and a proposal to fix the situation, see the draft “An Encoding Parameter for HTTP Basic Authentication” (which formed the basis for RFC 7617).

New – RFC 7617

Since 2015 there is RFC 7617, which obsoletes RFC 2617. In contrast to the old RFC, the new RFC explicitly defines the character encoding to be used for username and password.

  • The default encoding is still undefined. Is is only required to be compatible with US-ASCII (meaning it maps ASCII bytes to ASCII bytes, like UTF-8 does).
  • The server can optionally send an additional authentication parameter charset="UTF-8" in its challenge, like this:
    WWW-Authenticate: Basic realm="myChosenRealm", charset="UTF-8"
    This announces that the server will accept non-ASCII characters in username / password, and that it expects them to be encoded in UTF-8 (specifically Normalization Form C). Note that only UTF-8 is allowed.

Complete version:

Read the spec. It contains additional details, such as the exact encoding procedure, and the list of Unicode codepoints that should be supported.

Browser support

As of 2018, modern browsers will usually default to UTF-8 if a user enters non-ASCII characters for username or password (even if the server does not use the charset parameter).

  • Chrome also appears to use UTF-8
  • Internet Explorer does not use UTF-8 (issue #11879588 )
  • Firefox is experimenting with a change currently planned for v59 (bug 1419658)

Realm

The realm parameter still only supports ASCII characters even in RFC 7617.

More Related Contents:

  1. How to log out user from web site using BASIC authentication?
  2. How to display the Authentication Challenge in UIWebView?
  3. What is the “realm” in basic authentication
  4. Escaping username characters in basic auth URLs
  5. Basic HTTP authentication in Node.JS?
  6. How to define the basic HTTP authentication using cURL correctly?
  7. Getting Basic Authentication to work with ColdFusion
  8. Why is an OPTIONS request sent and can I disable it?
  9. How to set HTTP headers (for cache-control)?
  10. What’s the difference between a POST and a PUT HTTP REQUEST?
  11. ‘Refresh’ HTTP header
  12. HTTP status code for update and delete?
  13. Why is it common to put CSRF prevention tokens in cookies?
  14. Which status code should I use for failed validations or invalid duplicates?
  15. What are all the possible values for HTTP “Content-Type” header?
  16. Ideal HTTP cache control headers for different types of resources
  17. Correct way to delete cookies server-side
  18. Detect end of HTTP request body
  19. Proper REST response for empty table?
  20. How to correctly set Http Request Header in Angular 2
  21. Max memory usage of a chrome process (tab) & how do I increase it?
  22. What is a full specification of X-Forwarded-Proto HTTP header?
  23. Do web browsers always send a trailing slash after a domain name?
  24. What exactly is an HTTP Entity?
  25. Payloads of HTTP Request Methods
  26. What HTTP response headers are required
  27. Is it acceptable for a server to send a HTTP response before the entire request has been received?
  28. Domain set cookie for subdomain
  29. Reading cookies via HTTPS that were set using HTTP
  30. What does HTTP/1.1 302 mean exactly?

Leave a Comment