Authentication realm

RFC 2617 declares:

   The realm directive (case-insensitive) is required for all
   authentication schemes that issue a challenge.

But does not use normative REQUIRED. Also, the ABNF defines challenge as:

   challenge   = auth-scheme 1*SP 1#auth-param

Which seems to suggest that the realm parameter is not actually mandatory. If it is, the language should be corrected to use normative REQUIRED and the ABNF changes to reflect that:

  challenge = auth-scheme 1*SP 1#(realm / auth-param)

As currently defined, realm doesn't fully cover the use cases of the proposed Token scheme (OAuth WG). We will need to either redefine it, supplement it, or replace it. Either way, we need to know what is dictated by the HTTP authentication framework.

EHL

Received on Sunday, 6 December 2009 20:42:15 UTC