ABNF for Authorization header not quite right

The ABNF in draft-ietf-httpbis-p7-auth-13 still doesn't match what the BASIC scheme needs (or NTLM or NEGOTIATE or BEARER etc).

Draft 13 says:
  credentials = auth-scheme ( token / quoted-string / #auth-param )

BASIC, however, effectively uses:
  credentials = auth-scheme base64

<base64> includes the characters '/' and '=' that are not in <token>

I suggest changing the ABNF to the following:

  credentials = auth-scheme SP ( b64 / #auth-param )

  b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

  <b64> includes the 66 unreserved URI characters plus a few others.
  It can hold a base64, base64url (URL and filename safe alphabet),
  base32, or base16 (hex) encoding, with or without padding, but
  excluding whitespace [RFC4648].

This accepts authentication schemes that transmit a base64 blob instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It also accepts dot-separated base64url blobs, as proposed in new specs such as JSON Web Tokens.

I dropped <quoted-string> as I don't know where that came from. Perhaps it was added with <token> as they are often a pair. If there are no existing uses (and I don't know of any) it adds no value.

I added <SP> as I understand HTTPbis is making a global change to be explicit with whitespace.

This change would reopen ticket #195.

James Manger

Received on Friday, 1 April 2011 06:17:52 UTC