W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Authentication realm

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Sun, 6 Dec 2009 13:42:05 -0700
To: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437852938C4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
RFC 2617 declares:

   The realm directive (case-insensitive) is required for all
   authentication schemes that issue a challenge.

But does not use normative REQUIRED. Also, the ABNF defines challenge as:

   challenge   = auth-scheme 1*SP 1#auth-param

Which seems to suggest that the realm parameter is not actually mandatory. If it is, the language should be corrected to use normative REQUIRED and the ABNF changes to reflect that:

  challenge = auth-scheme 1*SP 1#(realm / auth-param)

As currently defined, realm doesn't fully cover the use cases of the proposed Token scheme (OAuth WG). We will need to either redefine it, supplement it, or replace it. Either way, we need to know what is dictated by the HTTP authentication framework.

EHL
Received on Sunday, 6 December 2009 20:42:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT