我应该使用什么编码进行HTTP基本身份验证？ [英] What encoding should I use for HTTP Basic Authentication?

问题描述

RFC2617表示将用户名和密码编码为base64，但没有说明在创建用于输入base64算法的八位字节时要使用的字符编码。

The RFC2617 says to encode the username and password to base64 but don't say what character encoding to use when creating the octets for input into the base64 algorithm.

我应该假设US-ASCII或UTF8吗？或者有人已经在某个地方解决了这个问题？

Should I assume US-ASCII or UTF8? Or has someone settled this question somewhere already?

推荐答案

原始规范 - RFC 2617

RFC 2617 可以理解为ISO-8859-1或未定义 。你的选择。众所周知，许多服务器使用ISO-8859-1（喜欢与否），并在发送其他内容时失败。所以可能唯一安全的选择就是坚持使用ASCII。

Original spec - RFC 2617

RFC 2617 can be read as "ISO-8859-1" or "undefined". Your choice. It's known that many servers use ISO-8859-1 (like it or not) and will fail when you send something else. So probably the only safe choice is to stick to ASCII.

有关更多信息和修正情况的建议，请参阅草案HTTP基本身份验证的编码参数（构成RFC 7617的基础）。

For more information and a proposal to fix the situation, see the draft "An Encoding Parameter for HTTP Basic Authentication" (which formed the basis for RFC 7617).

自2015年起， RFC 7617 ，它废弃了RFC 2617.与旧的RFC相比，新的RFC明确定义了用于用户名和密码的字符编码。

Since 2015 there is RFC 7617, which obsoletes RFC 2617. In contrast to the old RFC, the new RFC explicitly defines the character encoding to be used for username and password.

• 默认编码仍未定义。只需要与US-ASCII兼容（意味着它将ASCII字节映射到ASCII字节，就像UTF-8那样）。


• 服务器可以选择发送额外的验证参数 charset =UTF-8在其挑战中，如下所示：
  
  WWW-Authenticate：Basic realm =myChosenRealm，charset =UTF-8
  
  这宣布服务器将接受用户名/密码中的非ASCII字符，并且它希望它们以UTF-8编码（具体而言）标准化表格C）。请注意，只允许使用UTF-8。

• The default encoding is still undefined. Is is only required to be compatible with US-ASCII (meaning it maps ASCII bytes to ASCII bytes, like UTF-8 does).
• The server can optionally send an additional authentication parameter charset="UTF-8" in its challenge, like this:
  WWW-Authenticate: Basic realm="myChosenRealm", charset="UTF-8"
  This announces that the server will accept non-ASCII characters in username / password, and that it expects them to be encoded in UTF-8 (specifically Normalization Form C). Note that only UTF-8 is allowed.

完整版：

阅读规范。如果包含其他详细信息，例如确切的编码过程以及应支持的Unicode代码点列表。

Read the spec. If contains additional details, such as the exact encoding procedure, and the list of Unicode codepoints that should be supported.

截至2018年，如果用户为用户名或密码输入非ASCII字符，现代浏览器通常默认为UTF-8（即使服务器不使用 charset 参数）。

As of 2018, modern browsers will usually default to UTF-8 if a user enters non-ASCII characters for username or password (even if the server does not use the charset parameter).

• Chrome似乎也使用UTF-8


• Internet Explorer确实不使用UTF-8（问题＃11879588 ）


• Firefox正在尝试针对v59进行的更改（ bug 1419658 ）

• Chrome also appears to use UTF-8
• Internet Explorer does not use UTF-8 (issue #11879588 )
• Firefox is experimenting with a change currently planned for v59 (bug 1419658)

realm 参数仍然只支持ASCII字符，即使在RFC 7617中也是如此。

The realm parameter still only supports ASCII characters even in RFC 7617.

这篇关于我应该使用什么编码进行HTTP基本身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！