Re: opaque parameter in the Authorization request header from Henrik Nordstrom on 2008-08-13 (ietf-http-wg@w3.org from July to September 2008)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Wed, 13 Aug 2008 12:15:56 +0200
To: Evgeniy Khramtsov <xramtsov@gmail.com>
Cc: ietf-http-wg@w3.org
Message-Id: <1218622556.25284.22.camel@henriknordstrom.net>

On ons, 2008-08-13 at 18:57 +1000, Evgeniy Khramtsov wrote:

> Currently I'm a spectator of a situation when a client doesn't include 
> an "opaque" field in the "Authorization" header and a server replies 
> with 400 "Authorization should contain opaque". Actually, I don't know 
> who is right: a client or a server?

The way I read it the server is right.

The language isn't fully formal, but it does say should (3.2.1) and
required (3.3), which means a client not returning the opaque is clearly
broken.

And with opaque included in the earlier RFC2069 specifications with
nearly the same language there really is no excuse for not returning
it..

Regards
Henrik

Received on Wednesday, 13 August 2008 10:16:36 UTC