HOBA Authentication

HTTP Origin-Bound Authentication (HOBA) is a simple authentication scheme that is not password-based. HOBA has become an alternative to password-based HTTP authentication schemes by reducing or eliminating password entry.

HOBA authentication mechanism uses digital signature instead of the passwords and it also offers additional features like credential management and logout system.

HTTP clients can authenticate themselves to servers in the HTTP protocol or in a Javascript authentication program with the usage of public-private keys they create. The public key is open, the private key needs privacy for security reasons.

Implementing HOBA in HTTP applications gives the user an opportunity to establish a connection to the same service with more than one device or source-bound key.

The implementation process requires no names, passwords. And there’s no danger of leaking out or exposing passwords since there is no password verification database on the server side.

Implementing HOBA

Technically, it is a challenge-response digital signature protocol with a client nonce.

The client starts with determining if it already has a public key to authenticate or must generate one. For a start, the client determines if it already has a public key to authenticate or must generate one.

Then, the client makes a connection to the server, anticipating the server to ask for HOBA-based authentication, which is to be done by signing a blob of information.

The server sends a confirmable challenge in an HTTP header and client has to respond in time with a signature having previously given server the public key. br>
The server determines the CPK (client public key) using the key identifier (kid) to decide if it recognizes the CPK. If the CPK is recognized the authentication process is complete.

The authentication depends entirely on the server, its policies and practices; there is no standardized protocol and no suggested template for interaction.

The HOBA requires challenge and max-age attributes that must be included and it also has an optional realm attribute. The challenge attribute is a base64url string that must be unique for every 401 HTTP response. The max-age attribute defines the time in seconds during which responses to the challenge can be accepted. The realm attribute can appear only once to indicate the scope of protection.


  • pub: UA generated Public Key
  • kidtype: The key type
  • kide: The Public key ID
  • didtype: Device Type
  • did: Device id
HTTP Header:
  • Authentication = HOBA
  • challenge = [generated_challenge]
  • max-age = [expiration_time]

Example of HOBA-HTTP authentication

  • Public Key:
  • -----BEGIN PUBLIC KEY-----
  • MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAviE8fMrGIPZN9up94M28 6o38B99fsz5cUqYHXXJlnHIi6gGKjqLgn3P7n4snUSQswLExrkhSr0TPhRDuPH_t fXLKLBbh17ofB7t7shnPKxmyZ69hCLbe7pB1HvaBzTxPC2KOqskDiDBOQ6-JLHQ8 egXB14W-641RQt0CsC5nXzo92kPCdV4NZ45MW0ws3twCIUDCH0nibIG9SorrBbC DPHQZS5Dk5pgS7P5hrAr634Zn4bzXhUnm7cON2x4rv83oqB3lRqjF4T9exEMyZBS L26m5KbK860uSOKywI0xp4ymnHMc6Led5qfEMnJC9PEI90tIMcgdHrmdHC_vpldGDQIDAQAB
  • -----END PUBLIC KEY-----
  • Key Identifier: vesscamS2Kze4FFOg3e2UyCJPhuQ6_3_gzN-k_L6t3w
  • Challenge: pUE77w0LylHypHKhBqAiQHuGC751GiOVv4/7pSlo9jc=
  • Signature algorithm: RSA-SHA256 ("0")
  • Nonce: Pm3yUW-sW5Q
  • Signature:
  • VD-0LGVBVEVjfq4xEd35FjnOrIqzJ2OQMx5w8E52dgVvxFD6R0ryEsHcD31ykh0i 4YIzIHXirx7bE4x9yP-9fMBCEwnHJsYwYQhfRpmScwAz-Ih1Hn4yORTb-U66miUz q04ZgTHm4jAj45afU20wYpGXY2r3W-FRKc6J6Glv_zI_ROghERalxgXG-QVGZrKP tG0V593Yf9IPnFSpLyW6fnxscCMWUA9T-4NjMdypI-Ze4HsC9J06tRTOunQdofr9 6ZJ2i9LE6uKSUDLCD2oeEeSEvUR-4OGtrgjzYysHZkdVSxAi7OoQBK34EUWg9kI13qQA43m4IMExkbApqrSg
  • Authorization Header:
  • Authorization: HOBA result="vesscamS2Kze4FFOg3e2UyCJPhuQ6_3_gzN- k_L6t3w.pUE77w0LylHypHKhBqAiQHuGC751GiOVv4/7pSlo9jc=.Pm3yUW-sW5Q .VD-0LGVBVEVjfq4xEd35FjnOrIqzJ2OQMx5w8E52dgVvxFD6R0ryEsHcD31ykh0 i4YIzIHXirx7bE4x9yP-9fMBCEwnHJsYwYQhfRpmScwAz-Ih1Hn4yORTb-U66miU zq04ZgTHm4jAj45afU20wYpGXY2r3W-FRKc6J6Glv_zI_ROghERalxgXG-QVGZrK PtG0V593Yf9IPnFSpLyW6fnxscCMWUA9T-4NjMdypI-Ze4HsC9J06tRTOunQdofr 96ZJ2i9LE6uKSUDLCD2oeEeSEvUR--4OGtrgjzYysHZkdVSxAi7OoQBK34EUWg9k IS13qQA43m4IMExkbApqrSg"

Post HTTP Requests Online