W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Backwards definition of authentication header

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 04 Dec 2009 17:09:59 +0100
Message-ID: <4B193457.1080806@gmx.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Julian Reschke wrote:
> ...
> I assume the reasons are historical.
> 
> It appears the ABNF was broken when RFC2068/9 was revised as RFC2616/7, 
> see <http://tools.ietf.org/html/rfc2068#section-11> which has:
> 
>           credentials    = basic-credentials
>                          | auth-scheme #auth-param
> 
> We probably should record an erratum for RFC 2617 for now.
> ...

I just checked the history of RFC 2617, and the change happened between 
draft 01 and draft 02 
(<http://tools.ietf.org/rfcdiff?url2=draft-ietf-http-authentication-02.txt>), 
when

-- draft 01 --
A user agent that wishes to authenticate itself with an origin server--
usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
do so by including an Authorization header field with the request. A
client that wishes to authenticate itself with a proxy--usually, but not
necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
do so by including a Proxy-Authorization header field with the request.
Both the Authorization field value and the Proxy-Authorization field
value consist of credentials containing the authentication information
of the client for the realm of the resource being requested.

     credentials = basic-credentials | auth-scheme #auth-param
-- draft 01 --

was replaced by

-- draft 02 --
A user agent that wishes to authenticate itself with an origin server--

usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
do so by including an Authorization header field with the request. A
client that wishes to authenticate itself with a proxy--usually, but not
necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
do so by including a Proxy-Authorization header field with the request.
Both the Authorization field value and the Proxy-Authorization field
value consist of credentials containing the authentication information
of the client for the realm of the resource being requested. The user
agent MUST choose to use one of the challenges with the strongest auth-
scheme it understands and request credentials from the user based upon
that challenge.

credentials = auth-scheme #auth-param

      Note that many browsers will only recognize Basic and will require
      that it be the first auth-scheme presented. Servers should only
      include Basic if it is minimally acceptable.
-- draft 02 --

So the intention may have been to replace the special case in the ABNF 
by prose, but, as far as I can tell, that was the wrong thing to do here.

Best regards, Julian
Received on Friday, 4 December 2009 16:10:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT