Re: Proposed RFC 2617 erratum, Re: Backwards definition of authentication header from Julian Reschke on 2009-12-12 (ietf-http-wg@w3.org from October to December 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 12 Dec 2009 12:06:06 +0100
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: Eran Hammer-Lahav <eran@hueniverse.com>, "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <4B23791E.6000703@gmx.de>

Manger, James H wrote:
>> Reported as <http://www.rfc-editor.org/errata_search.php?eid=1959>
>>
>> credentials = basic-credentials | auth-scheme SP #auth-param
> 
> This looks wrong.
> Basic includes the scheme.
> The example in the spec is:
> 
>   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

You are right. I copied over a bug that is also present in RFC 2068.

Also, I tried to replace the rule for credentials, although the one for 
challenge is broken (thanks, Paul).

> Perhaps it should be:
> 
>   credentials = auth-scheme SP { basic-credentials | #auth-param }
> 
> [note: I am not proficient with ABNF]

So, let's restart. What's broken in RFC 2617 is:

   credentials = auth-scheme #auth-param

because that ABNF does not allow basic credentials.

This one used to be in RFC 2068:

   credentials    = basic-credentials
                  | auth-scheme #auth-param

which special cases "Basic", but does so incorrectly (because 
basic-credentials doesn't contain the scheme name).

A fix for that (and *only* for that) would be:

   credentials = "Basic" basic-credentials
               | auth-scheme #auth-param

> NTLM and Negotiate also use a scheme followed by a base64-encoded blob, just like Basic.
> The following example is from RFC 4559 "SPNEGO-based Kerberos and NTLM HTTP Auth in MS Windows" (which annoying looks like lower-case hex, though the text says it is base64):
> 
>   Authorization: Negotiate a87421000492aa874209af8bc028
> 
> 
> The ABNF may as well support the Basic/NTLM/Negotiate form regardless of scheme, instead of a special case for just Basic (either as an RFC 2617 errata or an httpbis item?).
> 
> I am not sure how to write the ABNF. Here is a wild guess:
> 
>   credentials = auth-scheme SP { token | #auth-param }

That's an orthogonal issue for which we should open an httpbis tracker 
issue. For now let's concentrate on fixing the outright bug in RFC 2617 :-).

Best regards, Julian

Received on Saturday, 12 December 2009 11:06:50 UTC