|
Page 3 of 4
22.3 Proxy-to-User Authentication
Similarly, when a UAC sends a request to a proxy server, the proxy
server MAY authenticate the originator before the request is
processed. If no credentials (in the Proxy-Authorization header
field) are provided in the request, the proxy can challenge the
originator to provide credentials by rejecting the request with a 407
(Proxy Authentication Required) status code. The proxy MUST populate
the 407 (Proxy Authentication Required) message with a Proxy-
Authenticate header field value applicable to the proxy for the
requested resource.
The use of Proxy-Authenticate and Proxy-Authorization parallel that
described in [17], with one difference. Proxies MUST NOT add values
to the Proxy-Authorization header field. All 407 (Proxy
Authentication Required) responses MUST be forwarded upstream toward
the UAC following the procedures for any other response. It is the
UAC's responsibility to add the Proxy-Authorization header field
value containing credentials for the realm of the proxy that has
asked for authentication.
If a proxy were to resubmit a request adding a Proxy-Authorization
header field value, it would need to increment the CSeq in the new
request. However, this would cause the UAC that submitted the
original request to discard a response from the UAS, as the CSeq
value would be different.
When the originating UAC receives the 407 (Proxy Authentication
Required) it SHOULD, if it is able, re-originate the request with the
proper credentials. It should follow the same procedures for the
display of the "realm" parameter that are given above for responding
to 401.
If no credentials for a realm can be located, UACs MAY attempt to
retry the request with a username of "anonymous" and no password (a
password of "").
The UAC SHOULD also cache the credentials used in the re-originated
request.
The following rule is RECOMMENDED for proxy credential caching:
If a UA receives a Proxy-Authenticate header field value in a 401/407
response to a request with a particular Call-ID, it should
incorporate credentials for that realm in all subsequent requests
that contain the same Call-ID. These credentials MUST NOT be cached
across dialogs; however, if a UA is configured with the realm of its
local outbound proxy, when one exists, then the UA MAY cache
credentials for that realm across dialogs. Note that this does mean
a future request in a dialog could contain credentials that are not
needed by any proxy along the Route header path.
Any UA that wishes to authenticate itself to a proxy server --
usually, but not necessarily, after receiving a 407 (Proxy
Authentication Required) response -- MAY do so by including a Proxy-
Authorization header field value with the request. The Proxy-
Authorization request-header field allows the client to identify
itself (or its user) to a proxy that requires authentication. The
Proxy-Authorization header field value consists of credentials
containing the authentication information of the UA for the proxy
and/or realm of the resource being requested.
A Proxy-Authorization header field value applies only to the proxy
whose realm is identified in the "realm" parameter (this proxy may
previously have demanded authentication using the Proxy-Authenticate
field). When multiple proxies are used in a chain, a Proxy-
Authorization header field value MUST NOT be consumed by any proxy
whose realm does not match the "realm" parameter specified in that
value.
Note that if an authentication scheme that does not support realms is
used in the Proxy-Authorization header field, a proxy server MUST
attempt to parse all Proxy-Authorization header field values to
determine whether one of them has what the proxy server considers to
be valid credentials. Because this is potentially very time-
consuming in large networks, proxy servers SHOULD use an
authentication scheme that supports realms in the Proxy-Authorization
header field.
If a request is forked (as described in Section 16.7), various proxy
servers and/or UAs may wish to challenge the UAC. In this case, the
forking proxy server is responsible for aggregating these challenges
into a single response. Each WWW-Authenticate and Proxy-Authenticate
value received in responses to the forked request MUST be placed into
the single response that is sent by the forking proxy to the UA; the
ordering of these header field values is not significant.
When a proxy server issues a challenge in response to a request,
it will not proxy the request until the UAC has retried the
request with valid credentials. A forking proxy may forward a
request simultaneously to multiple proxy servers that require
authentication, each of which in turn will not forward the request
until the originating UAC has authenticated itself in their
respective realm. If the UAC does not provide credentials for
each challenge, the proxy servers that issued the challenges will
not forward requests to the UA where the destination user might be
located, and therefore, the virtues of forking are largely lost.
When resubmitting its request in response to a 401 (Unauthorized) or
407 (Proxy Authentication Required) that contains multiple
challenges, a UAC MAY include an Authorization value for each WWW-
Authenticate value and a Proxy-Authorization value for each Proxy-
Authenticate value for which the UAC wishes to supply a credential.
As noted above, multiple credentials in a request SHOULD be
differentiated by the "realm" parameter.
It is possible for multiple challenges associated with the same realm
to appear in the same 401 (Unauthorized) or 407 (Proxy Authentication
Required). This can occur, for example, when multiple proxies within
the same administrative domain, which use a common realm, are reached
by a forking request. When it retries a request, a UAC MAY therefore
supply multiple credentials in Authorization or Proxy-Authorization
header fields with the same "realm" parameter value. The same
credentials SHOULD be used for the same realm.
|
