W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: #320: add advice on defining auth scheme parameters

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 28 Oct 2011 19:15:29 +0200
Message-ID: <4EAAE331.8080606@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-10-27 22:03, Julian Reschke wrote:
> (copied from new ticket, triggered from current discussion over in the
> oauth WG:)
>
> When new schemes define new auth parameters, they of course need to
> stick to the base syntax.
>
> In theory they *can* profile the allowable syntax, but doing so will not
> work well with consumers that use auth-scheme-agnostic parsers. It's
> thus best to define auth params based on what a parser would return
> *after* processing quoted-strings.

Proposed change: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff>

This adds in "Considerations for New Authentication Schemes":

    o  The parsing of challenges and credentials is defined by this
       specification, and cannot be modified by new authentication
       schemes.  When the auth-param syntax is used, all parameters ought
       to support both token and quoted-string syntax, and syntactical
       constraints ought to be defined on the field value after parsing
       (i.e., quoted-string processing).  This is necessary so that
       recipients can use a generic parser that applies to all
       authentication schemes.

       Note: the fact that "realm" only allows quoted-string syntax was a
       bad design choice not to be repeated in new schemes.

and also adds an example for WWW-Authenticate with multiple challenges:

    For instance:

      WWW-Authenticate: Newauth realm="apps", type=1,
                        title="Login to \"apps\"", Basic realm="simple"

    This header field contains two challenges; one for the "Newauth"
    scheme with a realm value of "apps", and two additional parameters
    "type" and "title", and another one for the "Basic" scheme with a
    realm value of "simple".

Feedback appreciated,

Julian
Received on Friday, 28 October 2011 17:16:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:49 GMT