W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #195, was: ABNF for Authorization header not quite right

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 09 Aug 2011 13:24:34 +0200
Message-ID: <4E4118F2.5000907@gmx.de>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Hi,

so I went ahead and applied the following change: 
<http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1394>

> ...
>> Julian,
>>
>> I like the new text, except for disallowing<b64token> for new schemes.
>
> Most of it is yours :-)
>
>> I don't think that extra restriction is necessary, or useful.
>>
>> Other authentication schemes could well copy how BASIC/NTLM/NEGOTIATE
>> do it, for the same reasons (a single blob is a good match for their
>> information model).
>> draft-ietf-oauth-v2-bearer (currently in Working Group Last Call)
>> defines the BEARER HTTP authentication scheme to uses a single
>> string (it currently allows any ASCII chars other than controls and
>> space,
>> but should be able to adopt<b64token>).
>
> My concern is that b64token is constrained to a single value; if you
> pick it, there are no extension points left. I think this is sufficient
> reason to discourage it. Will come up with new proposed text later on.

New text:

    o  The "b64token" notation was introduced for compatibility with
       existing authentication schemes and can only be used once per
       challenge/credentials.  New schemes thus ought to use the "auth-
       param" syntax instead, because otherwise future extensions will be
       impossible.

> ...
>> So suggested text (with a few<ins>erts and<del>etes):
>>
>> 2.1. Challenge and Response
>>
>> HTTP provides a simple challenge-response authentication mechanism
>> that can be used by a server to challenge a client request and by a
>> client to provide authentication information. It uses an extensible,
>> case-insensitive token to identify the authentication scheme,
>> followed by<ins>a single string or</ins>
>> a comma-separated list of attribute-value pairs which
>> carry the parameters necessary for achieving authentication via that
>> scheme.
>>
>> auth-scheme = token
>> auth-param = token BWS "=" BWS ( token / quoted-string )
>>
>> <del>As an alternative to a list of auth parameters, a single string can
>> be used:</del>
> ...

Now...:

2.1.  Challenge and Response

    HTTP provides a simple challenge-response authentication mechanism
    that can be used by a server to challenge a client request and by a
    client to provide authentication information.  It uses an extensible,
    case-insensitive token to identify the authentication scheme,
    followed by additional information necessary for achieving
    authentication via that scheme.  The latter can either be a comma-
    separated list of attribute-value pairs or a single sequence of
    characters capable of holding base64-encoded information.

      auth-scheme    = token

      auth-param     = token BWS "=" BWS ( token / quoted-string )

      b64token       = 1*( ALPHA / DIGIT /
                           "-" / "." / "_" / "~" / "+" / "/" ) *"="

    The "b64token" syntax allows the 66 unreserved URI characters
    ([RFC3986]), plus a few others, so that it can hold a base64,
    base64url (URL and filename safe alphabet), base32, or base16 (hex)
    encoding, with or without padding, but excluding whitespace
    ([RFC4648]).


(reminder: this is only our development version, so we can still tune 
it...).

Best regards, Julian
Received on Tuesday, 9 August 2011 11:25:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT