Multiple challenges in a single WWW-Authenticate header field from Eran Hammer-Lahav on 2009-12-04 (ietf-http-wg@w3.org from October to December 2009)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Thu, 3 Dec 2009 21:08:43 -0700
To: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234378529352B@P3PW5EX1MB01.EX1.SECURESERVER.NET>

draft-ietf-httpbis-p7-auth defines the WWW-Authenticate as:

     WWW-Authenticate   = "WWW-Authenticate" ":" OWS WWW-Authenticate-v
     WWW-Authenticate-v = 1#challenge

Importing challenge from RFC 2617:

      challenge   = auth-scheme 1*SP 1#auth-param

Which means a single header can contain multiple comma-separated challenges:

WWW-Autenticate: Basic realm="X1", Digest realm="X1", domain="http://example.com", Basic realm="X2"

Is this right? It seems odd to rely parsing multiple challenges on the presence of a space between the auth-scheme and list of auth-param. I am not sure why multiple challenges are even allowed, but either way, they should be separated using something other than a comma.

EHL

Received on Friday, 4 December 2009 04:09:03 UTC