WWW-Authenticate
The HTTP WWW-authenticate response header indicates which authentication messages can be used to access a particular resource.
Usage
The HTTP WWW-authenticate response header is part of the HTTP Authentication framework, as defined in RFC 7235. It is generated and included in HTTP responses from a server where a client has requested a protected resource and the server returned HTTP error message 401 Unauthorized. The mandatory directive is the authentication-scheme
, whereas the two remaining directives, realm
and token68
, are optional.
The HTTP WWW-authenticate header contains at least one authentication-scheme
and any parameters or data that are required to perform authentication using it. Multiple schemes can be specified either on separate lines or in a single line with a comma-delimited format. The commonly used Authentication schemes are Basic
, Digest
, and Negotiate
.
Scheme Format Example
The exact format of the HTTP header depends on the Authentication scheme being used. Some examples of the format are as follows:
WWW-Authenticate: <scheme>
WWW-Authenticate: <scheme> realm=<realm>
WWW-Authenticate: <scheme> token68
WWW-Authenticate: <scheme> parameter1=token1
WWW-Authenticate: <scheme> realm=<realm> token68
WWW-Authenticate: <scheme> realm=<realm> token68 parameter1=token1
In addition to the basic formats, above, it is possible to specify multiple Authentication schemes in a comma-delimited list on a single line.
Consider the Basic
Authentication scheme:
WWW-Authenticate: Basic
WWW-Authenticate: Basic realm=realm@example.re
WWW-Authenticate: Basic realm=realm@example.re, charset="UTF-8"
Notice that in the Basic
scheme, the charset
directive is supported. However, token68
is not. This is an example of the scheme dictating the relevant parameters.
The Digest
scheme has several mandatory and optional directives, as do the others. It is important to consult the specification for a scheme ahead of implementing it.
Takeaway
The HTTP WWW-authenticate response header is used to inform the client concerning supported Authentication schemes that are needed to access protected resources.