- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 08 Dec 2009 15:46:20 +0100
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
OK,
so let's report an erratum against RFC 2617 to get this on the record:
-- snip --
Section 1.2, paragraph 4:
OLD:
challenge = auth-scheme 1*SP 1#auth-param
NEW:
credentials = basic-credentials | auth-scheme #auth-param
Note: for historic reasons, the "Basic" authentication scheme (see
Section 2) uses a different format, thus the special case in the
ABNF.
-- snip --
Best regards, Julian
Julian Reschke wrote:
> Julian Reschke wrote:
>> ...
>> I assume the reasons are historical.
>>
>> It appears the ABNF was broken when RFC2068/9 was revised as
>> RFC2616/7, see <http://tools.ietf.org/html/rfc2068#section-11> which has:
>>
>> credentials = basic-credentials
>> | auth-scheme #auth-param
>>
>> We probably should record an erratum for RFC 2617 for now.
>> ...
>
> I just checked the history of RFC 2617, and the change happened between
> draft 01 and draft 02
> (<http://tools.ietf.org/rfcdiff?url2=draft-ietf-http-authentication-02.txt>),
> when
>
> -- draft 01 --
> A user agent that wishes to authenticate itself with an origin server--
> usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
> do so by including an Authorization header field with the request. A
> client that wishes to authenticate itself with a proxy--usually, but not
> necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
> do so by including a Proxy-Authorization header field with the request.
> Both the Authorization field value and the Proxy-Authorization field
> value consist of credentials containing the authentication information
> of the client for the realm of the resource being requested.
>
> credentials = basic-credentials | auth-scheme #auth-param
> -- draft 01 --
>
> was replaced by
>
> -- draft 02 --
> A user agent that wishes to authenticate itself with an origin server--
>
> usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
> do so by including an Authorization header field with the request. A
> client that wishes to authenticate itself with a proxy--usually, but not
> necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
> do so by including a Proxy-Authorization header field with the request.
> Both the Authorization field value and the Proxy-Authorization field
> value consist of credentials containing the authentication information
> of the client for the realm of the resource being requested. The user
> agent MUST choose to use one of the challenges with the strongest auth-
> scheme it understands and request credentials from the user based upon
> that challenge.
>
> credentials = auth-scheme #auth-param
>
> Note that many browsers will only recognize Basic and will require
> that it be the first auth-scheme presented. Servers should only
> include Basic if it is minimally acceptable.
> -- draft 02 --
>
> So the intention may have been to replace the special case in the ABNF
> by prose, but, as far as I can tell, that was the wrong thing to do here.
>
> Best regards, Julian
>
>
Received on Tuesday, 8 December 2009 14:48:06 UTC