W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Proposed RFC 2617 erratum, Re: Backwards definition of authentication header

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 08 Dec 2009 15:46:20 +0100
Message-ID: <4B1E66BC.2060404@gmx.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
OK,

so let's report an erratum against RFC 2617 to get this on the record:

-- snip --
Section 1.2, paragraph 4:
OLD:

        challenge   = auth-scheme 1*SP 1#auth-param

NEW:

        credentials = basic-credentials | auth-scheme #auth-param

     Note: for historic reasons, the "Basic" authentication scheme (see
     Section 2) uses a different format, thus the special case in the
     ABNF.

-- snip --

Best regards, Julian


Julian Reschke wrote:
> Julian Reschke wrote:
>> ...
>> I assume the reasons are historical.
>>
>> It appears the ABNF was broken when RFC2068/9 was revised as 
>> RFC2616/7, see <http://tools.ietf.org/html/rfc2068#section-11> which has:
>>
>>           credentials    = basic-credentials
>>                          | auth-scheme #auth-param
>>
>> We probably should record an erratum for RFC 2617 for now.
>> ...
> 
> I just checked the history of RFC 2617, and the change happened between 
> draft 01 and draft 02 
> (<http://tools.ietf.org/rfcdiff?url2=draft-ietf-http-authentication-02.txt>), 
> when
> 
> -- draft 01 --
> A user agent that wishes to authenticate itself with an origin server--
> usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
> do so by including an Authorization header field with the request. A
> client that wishes to authenticate itself with a proxy--usually, but not
> necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
> do so by including a Proxy-Authorization header field with the request.
> Both the Authorization field value and the Proxy-Authorization field
> value consist of credentials containing the authentication information
> of the client for the realm of the resource being requested.
> 
>     credentials = basic-credentials | auth-scheme #auth-param
> -- draft 01 --
> 
> was replaced by
> 
> -- draft 02 --
> A user agent that wishes to authenticate itself with an origin server--
> 
> usually, but not necessarily, after receiving a 401 (Unauthorized)--MAY
> do so by including an Authorization header field with the request. A
> client that wishes to authenticate itself with a proxy--usually, but not
> necessarily, after receiving a 407 (Proxy Authentication Required)--MAY
> do so by including a Proxy-Authorization header field with the request.
> Both the Authorization field value and the Proxy-Authorization field
> value consist of credentials containing the authentication information
> of the client for the realm of the resource being requested. The user
> agent MUST choose to use one of the challenges with the strongest auth-
> scheme it understands and request credentials from the user based upon
> that challenge.
> 
> credentials = auth-scheme #auth-param
> 
>      Note that many browsers will only recognize Basic and will require
>      that it be the first auth-scheme presented. Servers should only
>      include Basic if it is minimally acceptable.
> -- draft 02 --
> 
> So the intention may have been to replace the special case in the ABNF 
> by prose, but, as far as I can tell, that was the wrong thing to do here.
> 
> Best regards, Julian
> 
> 
Received on Tuesday, 8 December 2009 14:48:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:14 GMT