- From: Paul Leach <paulle@microsoft.com>
- Date: Sat, 12 Dec 2009 04:49:46 +0000
- To: "Manger, James H" <James.H.Manger@team.telstra.com>, Julian Reschke <julian.reschke@gmx.de>, Eran Hammer-Lahav <eran@hueniverse.com>
- CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
The ABNF may not be optimal, but it is correct.
-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Manger, James H
Sent: Friday, December 11, 2009 5:05 PM
To: Julian Reschke; Eran Hammer-Lahav
Cc: HTTP Working Group (ietf-http-wg@w3.org)
Subject: RE: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header
> Reported as <http://www.rfc-editor.org/errata_search.php?eid=1959>
>
> credentials = basic-credentials | auth-scheme SP #auth-param
This looks wrong.
Basic includes the scheme.
The example in the spec is:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Perhaps it should be:
credentials = auth-scheme SP { basic-credentials | #auth-param }
[note: I am not proficient with ABNF]
NTLM and Negotiate also use a scheme followed by a base64-encoded blob, just like Basic.
The following example is from RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Auth in MS Windows" (which annoying looks like lower-case hex, though the text says it is base64):
Authorization: Negotiate a87421000492aa874209af8bc028
The ABNF may as well support the Basic/NTLM/Negotiate form regardless of scheme, instead of a special case for just Basic (either as an RFC 2617 errata or an httpbis item?).
I am not sure how to write the ABNF. Here is a wild guess:
credentials = auth-scheme SP { token | #auth-param }
--
James Manger
Received on Saturday, 12 December 2009 04:49:57 UTC