| Network Working Group | R. Van Rein |
| Internet-Draft | InternetWide.org |
| Intended status: Standards Track | January 24, 2020 |
| Expires: July 27, 2020 |
User Names for HTTP Resources
draft-vanrein-http-unauth-user-02
Most protocols support users under domain names, but HTTP does not. Usage patterns in the wild do suggest a desire to have this facility. This specification defines a header for user names, orthogonal to any authentication or authorisation concerns.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 27, 2020.
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Most protocols support Network Access Identifiers [RFC7542] like john@example.com to identify users like john under domains such as example.com. The URI format for HTTP can express [Section 2.7.1 of [RFC7230]] such authority sections, and many online applications seem to want to address individual users, but HTTP URIs do not usually express user names. This specification therefore introduces a header "User", in close parallel to the "Host" header.
Historically, user names have been coupled to (Basic and Digest) authentication. This is not generally correct; the user name in the URI indicates a resource name space, not an (authenticating) visitor. By using a new header field, this specification allows authentication to be orthogonal to resource name space selection.
Some user agents have supported (Basic and Digest) authentication with a "user:password" format in the authority section of URIs. This has now been deprecated [Section 3.2.1 of [RFC3986]] but the form with just "user" and no ":password" continues to be acceptable. Various HTTP clients have different handling for this form, sometimes flagging it incorrectly as a security hazard, which also motivates a specification for proper handling.
TODO: Issue filed with HTTPbis, https://github.com/httpwg/http-core/issues/278 and offered a Pull Request, https://github.com/httpwg/http-core/compare/master...arpa2:userinfo-password as a followup of somewhat late Errata against RFC7230, https://www.rfc-editor.org/errata/eid5964
The purpose of this specification is to define clear meaning for HTTP URIs with a user name.
The "User" header field provides an aspect of the desired resource name scope. The value is usually taken from the authority section [Section 3.2 of [RFC3986]] of the target URI and MUST NOT include a ":" colon (U+003a) character.
User = 1*( unreserved / pct-encoded / sub-delims )
The User header value holds precisely one value with the following ABNF grammar: [RFC3986]. Zeal in the use of the "pct-encoded" non-terminal for plain characters that have a direct representation MAY be treated as an attempted attack.
The User header MAY appear in requests and MUST NOT occur in responses. When unrecognised by HTTP servers, the User header is ignored [Section 3.2.1 of [RFC7230]]. Intermediates such as proxies and caches MUST NOT add, remove or modify the User header.
User agents SHOULD render user names in authority sections whenever they render host names, though it may be helpful if it stands out graphically [Section 7.6 of [RFC3986]]. User agents SHOULD NOT remove user names from the target URI. User agents MAY remove the "@" (U+0040) symbol from a URI when the preceding user name is empty. User agents MUST refuse URIs with a ":" colon (U+003a) in the user name but MUST NOT complain about a user name that does not have that character.
During redirects or other traversals to (relative) HTTP URIs, the user name MUST be overwritten when the new URI specifies an authority component, and it MUST be kept otherwise.
The privacy or security of an HTTP resource is not impacted by the use of a User header. This is because User is about resource location, but not about client identity.
HTTP caches [RFC7234] need to distinguish requests with different User header values. The Vary header [Section 7.1.4 of [RFC7231]] MUST be present in the matching response, and the header MUST either be a single "*" star (U+002a) or list the "user" name, for all responses whose processing was influenced by the User header. This requirement does not apply to software and configurations that ignore the User header.
Header Field Name Template Protocol Status Reference ------------------ --------- --------- ------- ---------- User http TBD TBD:THIS_SPEC
IANA adds the following entry to the Message Headers registry:
The User header field as defined herein is orthogonal to issues of authentication or authorisation, and adds no security concerns.
| [RFC3986] | Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005. |
| [RFC7230] | Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014. |
| [RFC7231] | Fielding, R. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content", RFC 7231, DOI 10.17487/RFC7231, June 2014. |
| [RFC7234] | Fielding, R., Nottingham, M. and J. Reschke, "Hypertext Transfer Protocol (HTTP/1.1): Caching", RFC 7234, DOI 10.17487/RFC7234, June 2014. |
| [RFC7542] | DeKok, A., "The Network Access Identifier", RFC 7542, DOI 10.17487/RFC7542, May 2015. |
The following variable SHOULD be passed up to applications on a HTTP server: