W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1996

Proxies and Digest Auth

From: Paul Leach <paulle@microsoft.com>
Date: Thu, 29 Feb 96 10:06:18 PST
To: john@math.nwu.edu
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: red-16-msg960229175927MTP[01.52.00]000000b1-122101
I looked at the definitions of "Proxy-Authentication" and 
"Proxy-Authotizaton"; they are defined to use the same challenges and 
credentials as WWW-Authenticate and Authorization headers 
(respectively).  We need to make this clear; it would even be good to 
refer to "challenge" and "credentials", as these are the non-terminals 
in the HTTP spec grammar for the values of these headers. (In general, 
it would be nice to use the same syntax notation as in the HTTP spec, 
but maybe that can the "the last pass" over it, after all else is agreed to.)

To accomodate this (in current Digest syntax style), I'd propose to change:

   If a server receives a request for, an access-protected object), and an
   acceptable Authorization header is not sent, the server responds with

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="<realm>",
                            domain="<domain>",
                            nonce="<nonce>",
                            opaque="<opaque>",
                            stale="<TRUE | FALSE>",
                            algorithm="<digest-algorithm>"

to

   If a server receives a request for which authorization is required
   (e.g., an access-protected object), and an acceptable Authorization or
   Proxy-Authorization header is not sent, the server responds with

      HTTP/1.1 401 Unauthorized

   if it is an origin-server, or

      HTTP/1.1 407 Proxy Authentication Required

   if it is a proxy, followed by a WWW-Authenticate header or
   Proxy-Authentication header, respectively.

   Format of a WWW-Authenticate header is given by:

      <www-authn> := WWW-Authenticate: <challenge>

   and of a Proxy-Authentication header by:

      <proxy-authn> := Proxy-Authenticate: <challenge>

   where <challenge> has the same meaning as "challenge" in the
   HTTP/1.1 specification (see section 11 "Access Authentication"),
   extended for Digest authentication as follows:

      <challenge> := <basic-challenge> | <digest-challenge>

      <digest-challenge> := Digest realm="<realm>",
                            domain="<domain>",
                            nonce="<nonce>",
                            opaque="<opaque>",
                            stale="<TRUE | FALSE>",
                            algorithm="<digest-algorithm>"


Likewise, for Authenticate change:

   The client is expected to retry the request, passing an Authorization header
   line as follows:

Authorization: Digest
           username="<username>",             -- required
           realm="<realm>",                   -- required
           nonce="<nonce>",                   -- required
           uri="<requested-uri>",             -- required
           response="<digest>",               -- required
           message="<message-digest>",        -- OPTIONAL
           algorithm="<digest-algorithm>"     -- OPTIONAL
           opaque="<opaque>",                 -- required if provided
                                                          by server

to:

   The client is expected to retry the request, passing an Authorization or
   Proxy-Authorization header (to origin-servers and proxies, respectively).
   Format of an Authorization header is given by:

      <authz> := Authorization: <credentials>

   and of a Proxy-Authorization header by:

       <proxy-authz> := Proxy-Authorization: <credentials>

   where <credentials> has the same meaning as "credentials" in the
   HTTP/1.1 specification (see section 11 "Access Authentication"),
   extended for Digest authentication as follows:

      <credentials> := <basic-credentials> | <digest-credentials>

      <digest-credentials> := Digest
           username="<username>",             -- required
           realm="<realm>",                   -- required
           nonce="<nonce>",                   -- required
           uri="<requested-uri>",             -- required
           response="<digest>",               -- required
           message="<message-digest>",        -- OPTIONAL
           algorithm="<digest-algorithm>"     -- OPTIONAL
           opaque="<opaque>",                 -- required if provided
                                                          by server

There's a bigger issue in Digest-MessageDigest; I'll propose a fix in 
the next message.

Paul
Received on Thursday, 29 February 1996 10:03:03 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:47 EDT