Proxy-Authorization

The HTTP Proxy-Authorization request header carries credentials for authenticating a client with a proxy server to gain access to the requested resource.

Table of Contents

Usage
Directives
- scheme
- credentials
Example
Takeaway
See also

Usage

The Proxy-Authorization header is sent after a proxy returns a 407 status code along with a Proxy-Authenticate challenge. The client constructs credentials matching the requested Authentication scheme and includes them in the Proxy-Authorization header when resubmitting the request.

Once the proxy validates the credentials, the request is forwarded to the destination server. The proxy consumes the Proxy-Authorization header and forwards the credentials to the next proxy if cooperative authentication across a proxy chain is used.

The equivalent header for origin server authentication is Authorization, which responds to a 401 challenge from the WWW-Authenticate header.

Directives

scheme

The scheme value identifies the authentication method being used. The value matches one of the schemes offered in the proxy's Proxy-Authenticate challenge. Common schemes include Basic, Digest, Bearer, and Negotiate.

credentials

The credentials portion follows the scheme name and contains the authentication data. The format depends on the scheme.

For Basic authentication, the credentials are a Base64-encoded username:password pair.

For Digest authentication, the credentials include a username, realm, nonce, uri, and response hash among other parameters.

For Bearer authentication, the credentials consist of an opaque access token.

Example

A client authenticating with the Basic scheme sends a Base64-encoded username and password pair. Decoding dXNlcjpwYXNzd29yZA reveals user:password.

Proxy-Authorization: Basic dXNlcjpwYXNzd29yZA

A Digest authentication response includes the computed hash and the nonce from the proxy's challenge.

Proxy-Authorization: Digest username="admin", realm="proxy@example.re", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/resource", response="6629fae49393a05397450978507c4ef1"

A Bearer token issued by an OAuth authorization server is passed directly as the credential value.

Proxy-Authorization: Bearer eyJhbGciOiJSUzI1NiIs...

Takeaway

The HTTP Proxy-Authorization request header delivers credentials to a proxy server in response to a Proxy-Authenticate challenge, completing the proxy-level authentication exchange.