W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authorization with WWW-Authenticate (bis)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 11 Nov 2009 23:52:08 +0100
To: Nicolas Alvarez <nicolas.alvarez@gmail.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1257979928.14163.20.camel@localhost.localdomain>
ons 2009-11-11 klockan 16:36 -0300 skrev Nicolas Alvarez:
> Thomas Broyer wrote:
> > http-cookie-auth is totally backwards compatible (except unfortunately
> > with Opera pre-10.0, as Opera will then display an error page about
> > the auth scheme not being supported);
> 
> To avoid this problem again: does the spec say what user agents should do if 
> they find an unrecognized auth scheme? (ignore vs fail)

Relevant quote from RFC2617 which is still the authorative document on
this:

   The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that
   challenge.

Wording in RFC2617 is not the greatest, but imho it's pretty clear to
anyone reading the document that scheme is extensible with new schemes
and unknown schemes should be ignored by the user agent.

What is unspecified is how the user agent should behave if none of the
provided challenges is understood. It seems to me that most user agents
then fall back on basic auth with unspecified realm which imho is not a
bad thing to do. Both unlikely to be accepted by the server AND exposing
password details in the plain for no good value, better to abort the
request with an error.

Regards
Henrik
Received on Wednesday, 11 November 2009 22:52:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT