Re: Backwards definition of authentication header from Julian Reschke on 2009-12-04 (ietf-http-wg@w3.org from October to December 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 04 Dec 2009 16:59:01 +0100
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <4B1931C5.2010904@gmx.de>

Eran Hammer-Lahav wrote:
> (I'm in the process of writing a new HTTP authentication scheme per the OAuth WG charter. I will be sending questions and issues regarding RFC 2617 and draft-ietf-httpbis-p7-auth in the hopes that someone will both be able to clarify them as well as find this feedback useful.)

Feedback from somebody trying to define a new HTTP auth scheme it 
*totally* useful. Thanks for that in advance.

> Trying to follow the definition of the WWW-Authenticate and Authorization headers is like chasing one's own tail. The headers are defined in draft-ietf-httpbis-p7-auth but their content is defined using an imported definition from 2617, which in turn relies on the header definition in 2616. There isn't a single place where an implementer can read about the complete structure of these headers.

When you say "which in turn relies on the header definition in 2616", do 
you refer to more than "token" and "quoted-string"?

> Why not move the entire section 1 from 2617 into draft-ietf-httpbis-p7-auth?

I think I came to the conclusion a long time ago and thought that I 
opened a ticket for that; apparently I didn't. Yes, we need to make sure 
that Part 7 contains all but the actual authentication scheme definitions.

> It is also confusing that Basic auth does not comply with the syntax defined for 'credentials' (no key="value" pair, only base64 username and password). I am not suggesting changing Basic, but I am suggesting changing the definition of 'credentials' to better reflect reality or at lease note why basic is different (I assume for historical reasons).

I assume the reasons are historical.

It appears the ABNF was broken when RFC2068/9 was revised as RFC2616/7, 
see <http://tools.ietf.org/html/rfc2068#section-11> which has:

           credentials    = basic-credentials
                          | auth-scheme #auth-param

We probably should record an erratum for RFC 2617 for now.

> What is not clear to me is if the definition provided for 'credentials' is binding for new schemes, or if these schemes can go and redefine it as they see if.

Is there anything *except* for the broken ABNF with respect to Basic 
that makes you think the definition isn't binding?

Best regards, Julian

Received on Friday, 4 December 2009 15:59:42 UTC