- From: Eran Hammer-Lahav <eran@hueniverse.com>
- Date: Wed, 9 Dec 2009 10:08:23 -0700
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
> -----Original Message----- > From: Julian Reschke [mailto:julian.reschke@gmx.de] > Sent: Tuesday, December 08, 2009 6:46 AM > To: Eran Hammer-Lahav > Cc: HTTP Working Group (ietf-http-wg@w3.org) > Subject: Proposed RFC 2617 erratum, Re: Backwards definition of > authentication header > > OK, > > so let's report an erratum against RFC 2617 to get this on the record: > > -- snip -- > Section 1.2, paragraph 4: > OLD: > > challenge = auth-scheme 1*SP 1#auth-param > > NEW: > > credentials = basic-credentials | auth-scheme #auth-param Don't you need the 1*SP in there? EHL > > Note: for historic reasons, the "Basic" authentication scheme (see > Section 2) uses a different format, thus the special case in the > ABNF. > > -- snip -- > > Best regards, Julian > > > Julian Reschke wrote: > > Julian Reschke wrote: > >> ... > >> I assume the reasons are historical. > >> > >> It appears the ABNF was broken when RFC2068/9 was revised as > >> RFC2616/7, see <http://tools.ietf.org/html/rfc2068#section-11> which > has: > >> > >> credentials = basic-credentials > >> | auth-scheme #auth-param > >> > >> We probably should record an erratum for RFC 2617 for now. > >> ... > > > > I just checked the history of RFC 2617, and the change happened > > between draft 01 and draft 02 > > (<http://tools.ietf.org/rfcdiff?url2=draft-ietf-http-authentication-02 > > .txt>), > > when > > > > -- draft 01 -- > > A user agent that wishes to authenticate itself with an origin > > server-- usually, but not necessarily, after receiving a 401 > > (Unauthorized)--MAY do so by including an Authorization header field > > with the request. A client that wishes to authenticate itself with a > > proxy--usually, but not necessarily, after receiving a 407 (Proxy > > Authentication Required)--MAY do so by including a Proxy-Authorization > header field with the request. > > Both the Authorization field value and the Proxy-Authorization field > > value consist of credentials containing the authentication information > > of the client for the realm of the resource being requested. > > > > credentials = basic-credentials | auth-scheme #auth-param > > -- draft 01 -- > > > > was replaced by > > > > -- draft 02 -- > > A user agent that wishes to authenticate itself with an origin > > server-- > > > > usually, but not necessarily, after receiving a 401 > > (Unauthorized)--MAY do so by including an Authorization header field > > with the request. A client that wishes to authenticate itself with a > > proxy--usually, but not necessarily, after receiving a 407 (Proxy > > Authentication Required)--MAY do so by including a Proxy-Authorization > header field with the request. > > Both the Authorization field value and the Proxy-Authorization field > > value consist of credentials containing the authentication information > > of the client for the realm of the resource being requested. The user > > agent MUST choose to use one of the challenges with the strongest > > auth- scheme it understands and request credentials from the user > > based upon that challenge. > > > > credentials = auth-scheme #auth-param > > > > Note that many browsers will only recognize Basic and will require > > that it be the first auth-scheme presented. Servers should only > > include Basic if it is minimally acceptable. > > -- draft 02 -- > > > > So the intention may have been to replace the special case in the ABNF > > by prose, but, as far as I can tell, that was the wrong thing to do here. > > > > Best regards, Julian > > > >
Received on Wednesday, 9 December 2009 17:10:46 UTC