Add HOBA sample to the www-authenticate index.md (#27852)

* Add HOBA sample to the www-authenticate index.md This change is to add a sample HOBA scheme representation for developers to see. * Fixing linter warnings * Update index.md * Update files/en-us/web/http/headers/www-authenticate/index.md * addressing pr feedback 1 * addressing pr feedback 2 * Adding the rfc info into the list of specdata json * Adding a reference to the HOBA RFC in the resources and specs section * Update files/en-us/web/http/headers/www-authenticate/index.md --------- Co-authored-by: Hamish Willee <[email protected]> Co-authored-by: Derrick Granowski <[email protected]>
mdn · Jul 17, 2023 · 8a8ffd5 · 8a8ffd5
1 parent 59a3f3e
commit 8a8ffd5
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/files/en-us/web/http/headers/www-authenticate/index.md b/files/en-us/web/http/headers/www-authenticate/index.md
@@ -135,6 +135,16 @@ Generally you will need to check the relevant specifications for these (keys for
 - `userhash` {{optional_inline}}
   - : A server may specify `"true"` to indicate that it supports username hashing (default is `"false"`)
 
+### HTTP Origin-Bound Authentication (HOBA)
+
+- `<challenge>`
+  - : A set of pairs in the format of '\<len\>:\<value\>' concatenated together to be given to a client.
+    The challenge is made of up a nonce, algorithm, origin, realm, key identifier, and the challenge.
+- `<max-age>`
+  - : The number of seconds from the time the HTTP response is emitted for which responses to this challenge can be accepted.
+- `realm` {{optional_inline}}
+  - : As above in the [directives](#directives) section.
+
 ## Examples
 
 ### Basic authentication
@@ -214,6 +224,22 @@ Authorization: Digest username="Mufasa",
     opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
 ```
 
+### HOBA Authentication
+
+A server that supports HOBA authentication might have a `WWW-Authenticate` response header which looks like this:
+
+```http
+WWW-Authenticate: HOBA max-age="180", challenge="16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz"
+```
+
+The to-be-signed blob challenge is made from these parts: www.example.com using port 8080, the nonce is '1123123123', the algorithm for signing is RSA-SHA256, the key identifier is 123, and finally the challenge is '68147c97-461b-4310-be9b-4c707237ab53'.
+
+A client would receive this header, extract the challenge, sign it with their private key that corresponds to key identifier 123 in our example using RSA-SHA256, and then send the result in the `Authorization` header as a dot-separated key id, challenge, nonce, and signature.
+
+```http
+Authorization: 123.16:MTEyMzEyMzEyMw==1:028:https://www.example.com:80800:3:MTI48:NjgxNDdjOTctNDYxYi00MzEwLWJlOWItNGM3MDcyMzdhYjUz.1123123123.<signature-of-challenge>
+```
+
 ## Specifications
 
 {{Specifications}}

diff --git a/files/en-us/web/http/resources_and_specifications/index.md b/files/en-us/web/http/resources_and_specifications/index.md
@@ -53,3 +53,4 @@ HTTP was first specified in the early 1990s. Designed with extensibility in mind
 | [HTML Living Standard](https://html.spec.whatwg.org/multipage/)                            | HTML _Defines extensions of HTTP for Server-Sent Events_                                                                                                                                                                                              | Living Standard          |
 | [Reporting API](https://wicg.github.io/reporting/)                                         | `Report-To` header                                                                                                                                                                                                                                    | Draft                    |
 | [Draft spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-expect-ct-01)        | Expect-CT Extension for HTTP                                                                                                                                                                                                                          | IETF Draft               |
+| {{rfc(7486)}}                                                                              | HTTP Origin-Bound Auth (HOBA)                                                                                                                                                                                                                         | Experimental             |
diff --git a/files/jsondata/SpecData.json b/files/jsondata/SpecData.json
@@ -1454,6 +1454,11 @@
     "url": "https://www.rfc-editor.org/rfc/rfc7168",
     "status": "RFC"
   },
+  "RFC 7486": {
+    "name": "HTTP Origin-Bound Authentication (HOBA)",
+    "url": "https://www.rfc-editor.org/rfc/rfc7486",
+    "status": "RFC"
+  },
   "RFC 8288": {
     "name": "Web Linking",
     "url": "https://www.rfc-editor.org/rfc/rfc8288",