- From: Manger, James H <James.H.Manger@team.telstra.com>
- Date: Sat, 12 Dec 2009 12:04:57 +1100
- To: Julian Reschke <julian.reschke@gmx.de>, Eran Hammer-Lahav <eran@hueniverse.com>
- CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
> Reported as <http://www.rfc-editor.org/errata_search.php?eid=1959>
>
> credentials = basic-credentials | auth-scheme SP #auth-param
This looks wrong.
Basic includes the scheme.
The example in the spec is:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Perhaps it should be:
credentials = auth-scheme SP { basic-credentials | #auth-param }
[note: I am not proficient with ABNF]
NTLM and Negotiate also use a scheme followed by a base64-encoded blob, just like Basic.
The following example is from RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Auth in MS Windows" (which annoying looks like lower-case hex, though the text says it is base64):
Authorization: Negotiate a87421000492aa874209af8bc028
The ABNF may as well support the Basic/NTLM/Negotiate form regardless of scheme, instead of a special case for just Basic (either as an RFC 2617 errata or an httpbis item?).
I am not sure how to write the ABNF. Here is a wild guess:
credentials = auth-scheme SP { token | #auth-param }
--
James Manger
Received on Saturday, 12 December 2009 01:05:34 UTC