W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

RE: Backwards definition of authentication header

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Fri, 4 Dec 2009 09:54:09 -0700
To: Julian Reschke <julian.reschke@gmx.de>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343785293603@P3PW5EX1MB01.EX1.SECURESERVER.NET>


> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Friday, December 04, 2009 7:59 AM
> To: Eran Hammer-Lahav
> Cc: HTTP Working Group (ietf-http-wg@w3.org)
> Subject: Re: Backwards definition of authentication header
> 
> Eran Hammer-Lahav wrote:
> > (I'm in the process of writing a new HTTP authentication scheme per
> > the OAuth WG charter. I will be sending questions and issues regarding
> > RFC 2617 and draft-ietf-httpbis-p7-auth in the hopes that someone will
> > both be able to clarify them as well as find this feedback useful.)
> 
> Feedback from somebody trying to define a new HTTP auth scheme it
> *totally* useful. Thanks for that in advance.
> 
> > Trying to follow the definition of the WWW-Authenticate and Authorization
> headers is like chasing one's own tail. The headers are defined in draft-ietf-
> httpbis-p7-auth but their content is defined using an imported definition
> from 2617, which in turn relies on the header definition in 2616. There isn't a
> single place where an implementer can read about the complete structure of
> these headers.
> 
> When you say "which in turn relies on the header definition in 2616", do you
> refer to more than "token" and "quoted-string"?

Yes, the actual header definition. Because draft-ietf-httpbis-p7-auth only updates 2617, but obsoletes 2616, it gets confusing as to where should someone reading 2617 go when trying to get the full authenticating picture. Moving the entire section 1 from 2617 to draft-ietf-httpbis-p7-auth will solve this.

> > Why not move the entire section 1 from 2617 into draft-ietf-httpbis-p7-
> auth?
> 
> I think I came to the conclusion a long time ago and thought that I opened a
> ticket for that; apparently I didn't. Yes, we need to make sure that Part 7
> contains all but the actual authentication scheme definitions.

This will be a significant improvement.

> > It is also confusing that Basic auth does not comply with the syntax defined
> for 'credentials' (no key="value" pair, only base64 username and password). I
> am not suggesting changing Basic, but I am suggesting changing the definition
> of 'credentials' to better reflect reality or at lease note why basic is different
> (I assume for historical reasons).
> 
> I assume the reasons are historical.
> 
> It appears the ABNF was broken when RFC2068/9 was revised as RFC2616/7,
> see <http://tools.ietf.org/html/rfc2068#section-11> which has:
> 
>            credentials    = basic-credentials
>                           | auth-scheme #auth-param
> 
> We probably should record an erratum for RFC 2617 for now.
> 
> > What is not clear to me is if the definition provided for 'credentials' is
> binding for new schemes, or if these schemes can go and redefine it as they
> see if.
> 
> Is there anything *except* for the broken ABNF with respect to Basic that
> makes you think the definition isn't binding?

No. But since Basic is 50% of 2617, it is a pretty big exception... :-)

EHL
Received on Friday, 4 December 2009 16:54:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT