RE: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header

> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Tuesday, December 08, 2009 6:46 AM
> To: Eran Hammer-Lahav
> Cc: HTTP Working Group (ietf-http-wg@w3.org)
> Subject: Proposed RFC 2617 erratum, Re: Backwards definition of
> authentication header
> 
> OK,
> 
> so let's report an erratum against RFC 2617 to get this on the record:
> 
> -- snip --
> Section 1.2, paragraph 4:
> OLD:
> 
>         challenge   = auth-scheme 1*SP 1#auth-param
> 
> NEW:
> 
>         credentials = basic-credentials | auth-scheme #auth-param

Don't you need the 1*SP in there?

EHL

> 
>      Note: for historic reasons, the "Basic" authentication scheme (see
>      Section 2) uses a different format, thus the special case in the
>      ABNF.
> 
> -- snip --
> 
> Best regards, Julian
> 
> 
> Julian Reschke wrote:
> > Julian Reschke wrote:
> >> ...
> >> I assume the reasons are historical.
> >>
> >> It appears the ABNF was broken when RFC2068/9 was revised as
> >> RFC2616/7, see <http://tools.ietf.org/html/rfc2068#section-11> which
> has:
> >>
> >>           credentials    = basic-credentials
> >>                          | auth-scheme #auth-param
> >>
> >> We probably should record an erratum for RFC 2617 for now.
> >> ...
> >
> > I just checked the history of RFC 2617, and the change happened
> > between draft 01 and draft 02
> > (<http://tools.ietf.org/rfcdiff?url2=draft-ietf-http-authentication-02
> > .txt>),
> > when
> >
> > -- draft 01 --
> > A user agent that wishes to authenticate itself with an origin
> > server-- usually, but not necessarily, after receiving a 401
> > (Unauthorized)--MAY do so by including an Authorization header field
> > with the request. A client that wishes to authenticate itself with a
> > proxy--usually, but not necessarily, after receiving a 407 (Proxy
> > Authentication Required)--MAY do so by including a Proxy-Authorization
> header field with the request.
> > Both the Authorization field value and the Proxy-Authorization field
> > value consist of credentials containing the authentication information
> > of the client for the realm of the resource being requested.
> >
> >     credentials = basic-credentials | auth-scheme #auth-param
> > -- draft 01 --
> >
> > was replaced by
> >
> > -- draft 02 --
> > A user agent that wishes to authenticate itself with an origin
> > server--
> >
> > usually, but not necessarily, after receiving a 401
> > (Unauthorized)--MAY do so by including an Authorization header field
> > with the request. A client that wishes to authenticate itself with a
> > proxy--usually, but not necessarily, after receiving a 407 (Proxy
> > Authentication Required)--MAY do so by including a Proxy-Authorization
> header field with the request.
> > Both the Authorization field value and the Proxy-Authorization field
> > value consist of credentials containing the authentication information
> > of the client for the realm of the resource being requested. The user
> > agent MUST choose to use one of the challenges with the strongest
> > auth- scheme it understands and request credentials from the user
> > based upon that challenge.
> >
> > credentials = auth-scheme #auth-param
> >
> >      Note that many browsers will only recognize Basic and will require
> >      that it be the first auth-scheme presented. Servers should only
> >      include Basic if it is minimally acceptable.
> > -- draft 02 --
> >
> > So the intention may have been to replace the special case in the ABNF
> > by prose, but, as far as I can tell, that was the wrong thing to do here.
> >
> > Best regards, Julian
> >
> >

Received on Wednesday, 9 December 2009 17:10:46 UTC