W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

RE: Multiple challenges in a single WWW-Authenticate header field

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Fri, 4 Dec 2009 09:34:39 -0700
To: Dan Winship <dan.winship@gmail.com>
CC: Thomas Broyer <t.broyer@gmail.com>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437852935EC@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Thanks for the reference. I guess adding a auth scheme specific restriction won't work either.

EHL

> -----Original Message-----
> From: Dan Winship [mailto:dan.winship@gmail.com]
> Sent: Friday, December 04, 2009 6:27 AM
> To: Eran Hammer-Lahav
> Cc: Thomas Broyer; HTTP Working Group (ietf-http-wg@w3.org)
> Subject: Re: Multiple challenges in a single WWW-Authenticate header field
> 
> On 12/04/2009 03:01 AM, Eran Hammer-Lahav wrote:
> > I wasn't questioning the need to provide multiple challenges in a
> > single response. I was only questioning the wisdom in allowing
> > multiple challenges in a single header field, given the odd
> > combination of separators it creates. It would be nice to try and
> > deprecate this practice, while still requiring clients to deal with it
> > for backwards compatibility.
> 
> This possibility was discussed before and basically rejected; see the thread
> starting at http://lists.w3.org/Archives/Public/ietf-http-

> wg/2008JulSep/0300.html.
> 
> If you think OAuth is likely to be used in combination with other WWW-
> Authenticate methods, you should start filing bugs against browsers now :-}
> 
> -- Dan
Received on Friday, 4 December 2009 16:34:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT