[#177] Realm required on challenges

[ this was raised anonymously ]

p7 defers to RFC2617 for the definition of challenge.

RFC 2617, section 1.2 says:

challenge = auth-scheme 1*SP 1#auth-param ... The authentication  
parameter realm is defined for all authentication schemes:

realm = "realm" "=" realm-value realm-value = quoted-string

The realm directive (case-insensitive) is required for all  
authentication schemes that issue a challenge.

The interpretation being that challenges (which is what www-  
authenticate is defined as) MUST contain at least one parameter and  
that parameter MUST be a realm.

Is it truly necessary for all authentication schemes to include a  
'realm' paramter? If so, it should be documented (e.g., in the section  
about extension authentication schemes).

Mark Nottingham     http://www.mnot.net/

Received on Tuesday, 7 July 2009 07:15:58 UTC