我应该为 HTTP 基本身份验证使用什么编码? [英] What encoding should I use for HTTP Basic Authentication?

问题描述

RFC2617 规定将用户名和密码编码为 base64，但没有说明在创建用于输入到 base64 算法的八位字节时使用什么字符编码.

我应该假设是 US-ASCII 还是 UTF8?或者已经有人在某处解决了这个问题?

解决方案

原始规范 - RFC 2617

RFC 2617 可以读作ISO-8859-1"；或未定义".你的选择.众所周知，许多服务器使用 ISO-8859-1(不管您喜不喜欢)，并且在您发送其他内容时会失败.所以可能唯一安全的选择是坚持使用 ASCII.

有关解决此问题的更多信息和建议，请参阅草案用于 HTTP 基本身份验证的编码参数"(形成了 RFC 7617 的基础).

新 - RFC 7617

自 2015 年以来，有 RFC 7617，它废弃了 RFC 2617.与旧的 RFC，新的 RFC 明确定义了用于用户名和密码的字符编码.

• 默认编码仍未定义.仅需要与 US-ASCII 兼容(意味着它将 ASCII 字节映射到 ASCII 字节，就像 UTF-8 所做的那样).
• 服务器可以选择在其质询中发送额外的身份验证参数 charset=UTF-8"，如下所示:
  WWW-Authenticate:基本领域=myChosenRealm"，字符集=UTF-8"
  这宣布服务器将接受用户名/密码中的非 ASCII 字符，并希望它们以 UTF-8(特别是规范化形式 C)编码.请注意，仅允许使用 UTF-8.

完整版:

阅读规范.它包含其他详细信息，例如确切的编码过程以及应支持的 Unicode 代码点列表.

浏览器支持

自 2018 年起，如果用户输入非 ASCII 字符作为用户名或密码(即使服务器不使用 charset 参数)，现代浏览器通常会默认使用 UTF-8.

• Chrome 似乎也使用 UTF-8
• Internet Explorer 不使用 UTF-8(issue#11879588 )
• Firefox 正在试验目前为 v59 计划的更改(错误 1419658)

领域

即使在 RFC 7617 中，realm 参数仍然只支持 ASCII 字符.

The RFC2617 says to encode the username and password to base64 but don't say what character encoding to use when creating the octets for input into the base64 algorithm.

Should I assume US-ASCII or UTF8? Or has someone settled this question somewhere already?

解决方案

Original spec - RFC 2617

RFC 2617 can be read as "ISO-8859-1" or "undefined". Your choice. It's known that many servers use ISO-8859-1 (like it or not) and will fail when you send something else. So probably the only safe choice is to stick to ASCII.

For more information and a proposal to fix the situation, see the draft "An Encoding Parameter for HTTP Basic Authentication" (which formed the basis for RFC 7617).

New - RFC 7617

Since 2015 there is RFC 7617, which obsoletes RFC 2617. In contrast to the old RFC, the new RFC explicitly defines the character encoding to be used for username and password.

• The default encoding is still undefined. Is is only required to be compatible with US-ASCII (meaning it maps ASCII bytes to ASCII bytes, like UTF-8 does).
• The server can optionally send an additional authentication parameter charset="UTF-8" in its challenge, like this:
  WWW-Authenticate: Basic realm="myChosenRealm", charset="UTF-8"
  This announces that the server will accept non-ASCII characters in username / password, and that it expects them to be encoded in UTF-8 (specifically Normalization Form C). Note that only UTF-8 is allowed.

Complete version:

Read the spec. It contains additional details, such as the exact encoding procedure, and the list of Unicode codepoints that should be supported.

Browser support

As of 2018, modern browsers will usually default to UTF-8 if a user enters non-ASCII characters for username or password (even if the server does not use the charset parameter).

• Chrome also appears to use UTF-8
• Internet Explorer does not use UTF-8 (issue #11879588 )
• Firefox is experimenting with a change currently planned for v59 (bug 1419658)

Realm

The realm parameter still only supports ASCII characters even in RFC 7617.

这篇关于我应该为 HTTP 基本身份验证使用什么编码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！