W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: #320: add advice on defining auth scheme parameters

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 29 Oct 2011 16:29:26 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20111029142926.GC32320@1wt.eu>
On Sat, Oct 29, 2011 at 02:38:14PM +0200, Julian Reschke wrote:
> >      WWW-Authenticate: Newauth realm="apps"
> >      WWW-Authenticate: type=1
> >      WWW-Authenticate: title="Login to \"apps\""
> >      WWW-Authenticate: Basic realm="simple"
> 
> ...except a recipient would allow to ignore the 2nd and the 3rd because, 
> in isolation, they do not conform to the header ABNF.

Good point.

(...)
> indeed. WWW-Authenticate is a big mess, because it uses the same 
> delimiter *between* challenges and *inside* challenges. We can't change 
> that, but we can warn.

Couldn't we suggest that new schemes must use semi-colon instead ?
After all, existing parsers will have to be extended to support new
schemes anyway, so making them support a more reliable syntax makes
sense.

> The spec already says (and has been in 2617):
> 
> "User agents are advised to take special care in parsing the 
> WWW-Authenticate field value as it might contain more than one 
> challenge, or if more than one WWW-Authenticate header field is 
> provided, the contents of a challenge itself can contain a 
> comma-separated list of authentication parameters."

I did not notice this warning, thanks for point it it to me.

Regards,
Willy
Received on Saturday, 29 October 2011 14:30:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:49 GMT