Basic Access Authentication

Or RFC 7617 (replacing RFC 2617)

What is the difference between "basic auth" and "form-based auth"?

From Wikipedia:

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header.

User credentials is ALWAYS passed for each requests.

Below is complete flow of BA.

On first, a pop-up dialog ask for username/password to input.

[browser -> server]
GET /api/v1/students/1 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

[server -> browser]
HTTP/1.1 401 
Set-Cookie: JSESSIONID=210714AAD8969DA2E5E6E02A04871CA4; Path=/; HttpOnly
WWW-Authenticate: Basic realm="Realm"
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 301
Date: Sun, 13 Sep 2020 17:26:46 GMT

<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Mon Sep 14 01:26:46 PST 2020</div><div>There was an unexpected error (type=Unauthorized, status=401).</div><div>Unauthorized</div></body></html>

[browser -> server]
GET /api/v1/students/1 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic YW5uYXNtaXRoOnBhc3N3b3Jk
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=210714AAD8969DA2E5E6E02A04871CA4

[server -> browser]
HTTP/1.1 200 
Set-Cookie: JSESSIONID=48FB099FAFE03D62312FD95CA75DBDDE; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sun, 13 Sep 2020 17:27:03 GMT

{"studentId":1,"studentName":"James Bond"}

[browser -> server]
GET /api/v1/students/2 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Authorization: Basic YW5uYXNtaXRoOnBhc3N3b3Jk
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=48FB099FAFE03D62312FD95CA75DBDDE

[server -> browser]
HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sun, 13 Sep 2020 17:27:22 GMT

{"studentId":2,"studentName":"Maria Jones"}

[browser -> server]
GET /logout HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=48FB099FAFE03D62312FD95CA75DBDDE

[server -> browser]
HTTP/1.1 404 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 306
Date: Sun, 13 Sep 2020 17:27:35 GMT

<html><body><h1>Whitelabel Error Page</h1><p>This application has no explicit mapping for /error, so you are seeing this as a fallback.</p><div id='created'>Mon Sep 14 01:27:35 PST 2020</div><div>There was an unexpected error (type=Not Found, status=404).</div><div>No message available</div></body></html>

Of note, is that second request to /api/v1/students/2, does no longer pop-up the auth dialog, but the browser is responsible for still attaching to the request the same credentials because the browser caches the credentials as it is needed for each request.

Of note, also is that BA has no /logout concept since there is no caching, so there is nothing to clear.

Take note, that Form-based Authentication was invented as an improvement of BA because Form-based auth has a /logout concept which clears the cache. In the BA, the browser caches the credentials, so this is a security issue, despite the spec stated that caching is not part of the protocol.