W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

ABNF for Authorization header not quite right

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Fri, 1 Apr 2011 17:17:05 +1100
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E11281958BA8@WSMSG3153V.srv.dir.telstra.com>
The ABNF in draft-ietf-httpbis-p7-auth-13 still doesn't match what the BASIC scheme needs (or NTLM or NEGOTIATE or BEARER etc).

Draft 13 says:
  credentials = auth-scheme ( token / quoted-string / #auth-param )

BASIC, however, effectively uses:
  credentials = auth-scheme base64

<base64> includes the characters '/' and '=' that are not in <token>

I suggest changing the ABNF to the following:

  credentials = auth-scheme SP ( b64 / #auth-param )

  b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

  <b64> includes the 66 unreserved URI characters plus a few others.
  It can hold a base64, base64url (URL and filename safe alphabet),
  base32, or base16 (hex) encoding, with or without padding, but
  excluding whitespace [RFC4648].

This accepts authentication schemes that transmit a base64 blob instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It also accepts dot-separated base64url blobs, as proposed in new specs such as JSON Web Tokens.

I dropped <quoted-string> as I don't know where that came from. Perhaps it was added with <token> as they are often a pair. If there are no existing uses (and I don't know of any) it adds no value.

I added <SP> as I understand HTTPbis is making a global change to be explicit with whitespace.

This change would reopen ticket #195.

James Manger
Received on Friday, 1 April 2011 06:17:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:51 UTC