Is this a valid HTTP Authorization header?

Question

Using Wireshark I have seen that the iOS Philips Remote TV app talking to my Philips TV running their new os Saphi sends some HTTP requests with an authorization header looking like this on the wire:

Authorization: Basic 1:ZmVay1EQVFOaZhwQ4Kv81ypLAZNczV9sG4KkseXWn1NEk6cXmPKO/MCa9sryslvLCFMnNe4Z4CPXzToowvhHvA==

I believe that “1” is the userid and separatet from the long password with a “:”.

In Wikipedia I have read that The Authorization field is constructed as follows:

1. The username and password are combined with a single colon (:).

2. The resulting string is encoded into an octet sequence using a variant of Base64.

3. The authorization method and a space (e.g. "Basic ") is then prepended to the encoded string.

For example, if the browser uses Aladdin as the username and OpenSesame as the password, then the field's value is the base64-encoding of Aladdin:OpenSesame, or QWxhZGRpbjpPcGVuU2VzYW1l.

Then the Authorization header will appear as:

Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

I therefore wonder if the Authorization header used in this app is valid - skipping, what it looks like, the encoding step 2 above?

Answer 1

The header you posted violates RFC 7235, which forbids a colon (:) in an authorization token:

Authorization = credentials

credentials   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

token68       = 1*( ALPHA / DIGIT /

                    "-" / "." / "_" / "~" / "+" / "/" ) *"="

As you noted correctly, Basic authentication encodes to Base64 after combining the username and the password. The sample you posted contains valid Base64 after the colon, but it decodes to some binary garbage.

It’s likely that the developers of this Philips software have mistakenly labeled a custom authentication scheme as Basic. This is not an uncommon error. A typical case is when a token is sent without Base64, as in Basic MySecretToken123.