- From: Paul Leach <paulle@microsoft.com>
- Date: Thu, 29 Feb 96 10:06:18 PST
- To: john@math.nwu.edu
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
I looked at the definitions of "Proxy-Authentication" and
"Proxy-Authotizaton"; they are defined to use the same challenges and
credentials as WWW-Authenticate and Authorization headers
(respectively). We need to make this clear; it would even be good to
refer to "challenge" and "credentials", as these are the non-terminals
in the HTTP spec grammar for the values of these headers. (In general,
it would be nice to use the same syntax notation as in the HTTP spec,
but maybe that can the "the last pass" over it, after all else is agreed to.)
To accomodate this (in current Digest syntax style), I'd propose to change:
If a server receives a request for, an access-protected object), and an
acceptable Authorization header is not sent, the server responds with
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="<realm>",
domain="<domain>",
nonce="<nonce>",
opaque="<opaque>",
stale="<TRUE | FALSE>",
algorithm="<digest-algorithm>"
to
If a server receives a request for which authorization is required
(e.g., an access-protected object), and an acceptable Authorization or
Proxy-Authorization header is not sent, the server responds with
HTTP/1.1 401 Unauthorized
if it is an origin-server, or
HTTP/1.1 407 Proxy Authentication Required
if it is a proxy, followed by a WWW-Authenticate header or
Proxy-Authentication header, respectively.
Format of a WWW-Authenticate header is given by:
<www-authn> := WWW-Authenticate: <challenge>
and of a Proxy-Authentication header by:
<proxy-authn> := Proxy-Authenticate: <challenge>
where <challenge> has the same meaning as "challenge" in the
HTTP/1.1 specification (see section 11 "Access Authentication"),
extended for Digest authentication as follows:
<challenge> := <basic-challenge> | <digest-challenge>
<digest-challenge> := Digest realm="<realm>",
domain="<domain>",
nonce="<nonce>",
opaque="<opaque>",
stale="<TRUE | FALSE>",
algorithm="<digest-algorithm>"
Likewise, for Authenticate change:
The client is expected to retry the request, passing an Authorization header
line as follows:
Authorization: Digest
username="<username>", -- required
realm="<realm>", -- required
nonce="<nonce>", -- required
uri="<requested-uri>", -- required
response="<digest>", -- required
message="<message-digest>", -- OPTIONAL
algorithm="<digest-algorithm>" -- OPTIONAL
opaque="<opaque>", -- required if provided
by server
to:
The client is expected to retry the request, passing an Authorization or
Proxy-Authorization header (to origin-servers and proxies, respectively).
Format of an Authorization header is given by:
<authz> := Authorization: <credentials>
and of a Proxy-Authorization header by:
<proxy-authz> := Proxy-Authorization: <credentials>
where <credentials> has the same meaning as "credentials" in the
HTTP/1.1 specification (see section 11 "Access Authentication"),
extended for Digest authentication as follows:
<credentials> := <basic-credentials> | <digest-credentials>
<digest-credentials> := Digest
username="<username>", -- required
realm="<realm>", -- required
nonce="<nonce>", -- required
uri="<requested-uri>", -- required
response="<digest>", -- required
message="<message-digest>", -- OPTIONAL
algorithm="<digest-algorithm>" -- OPTIONAL
opaque="<opaque>", -- required if provided
by server
There's a bigger issue in Digest-MessageDigest; I'll propose a fix in
the next message.
Paul
Received on Thursday, 29 February 1996 10:03:03 UTC