W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: Authentication realm

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 07 Dec 2009 12:15:02 +0100
Message-ID: <4B1CE3B6.3080003@gmx.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Eran Hammer-Lahav wrote:
> RFC 2617 declares:
>    The realm directive (case-insensitive) is required for all
>    authentication schemes that issue a challenge.
> But does not use normative REQUIRED. Also, the ABNF defines challenge as:

"required" is as normative as "REQUIRED". See 

"These words are *often* capitalized.

(emphasis mine)

>    challenge   = auth-scheme 1*SP 1#auth-param
> Which seems to suggest that the realm parameter is not actually mandatory. If it is, the language should be corrected to use normative REQUIRED and the ABNF changes to reflect that:
>   challenge = auth-scheme 1*SP 1#(realm / auth-param)

That wouldn't really change the requirement from the ABNF perspective. 
Due to the complexity of the # rule, putting the requirement into the 
ABNF is non-trivial, and I guess that's the reason why it didn't happen.

> As currently defined, realm doesn't fully cover the use cases of the proposed Token scheme (OAuth WG). We will need to either redefine it, supplement it, or replace it. Either way, we need to know what is dictated by the HTTP authentication framework.

Could you elaborate on that?

Best regards, Julian
Received on Monday, 7 December 2009 11:15:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC