The HTTP WWW-authenticate response header indicates which authentication messages can be used to access a particular resource.
The HTTP WWW-authenticate response header is part of the HTTP Authentication framework, as defined in RFC 7235. It is generated and included in HTTP responses from a server where a client has requested a protected resource and the server returned HTTP error message 401 Unauthorized. The mandatory directive is the
authentication-scheme, whereas the two remaining directives,
token68, are optional.
The HTTP WWW-authenticate header contains at least one
authentication-scheme and any parameters or data that are required to perform authentication using it. Multiple schemes can be specified either on separate lines or in a single line with a comma-delimited format. The commonly used Authentication schemes are
Scheme Format Example
The exact format of the HTTP header depends on the Authentication scheme being used. Some examples of the format are as follows:
WWW-Authenticate: <scheme> WWW-Authenticate: <scheme> realm=<realm> WWW-Authenticate: <scheme> token68 WWW-Authenticate: <scheme> parameter1=token1 WWW-Authenticate: <scheme> realm=<realm> token68 WWW-Authenticate: <scheme> realm=<realm> token68 parameter1=token1
In addition to the basic formats, above, it is possible to specify multiple Authentication schemes in a comma-delimited list on a single line.
Basic Authentication scheme:
WWW-Authenticate: Basic WWW-Authenticate: Basic firstname.lastname@example.org WWW-Authenticate: Basic email@example.com, charset="UTF-8"
Notice that in the
Basic scheme, the
charset directive is supported. However,
token68 is not. This is an example of the scheme dictating the relevant parameters.
Digest scheme has several mandatory and optional directives, as do the others. It is important to consult the specification for a scheme ahead of implementing it.
The HTTP WWW-authenticate response header is used to inform the client concerning supported Authentication schemes that are needed to access protected resources.