Realm requirements (issue 177)

I have an issue with the prose and requirements regarding the realm parameter.


It is not clear at all what this means: "The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge." 

It sounds like not all authentication schemes issue a challenge, but does that mean they use the WWW-Authenticate for something else (like sending an error code) or any use of the WWW-Authenticate header is considered a challenge, but not all schemes use both auth headers?


Regardless of what the resolution of the prose is, the realm parameter should not be required for any new scheme. During work on OAuth as well as the MAC authentication scheme protocols, many people expressed objection to including the realm parameter. The main problem is that it is not applicable when using new authentication schemes that rely on a distributed issuance of credentials.

In OAuth, the realm concept is undefined, but in practice (if it is ever standardized) it is a combination of the credential issuer (an absolute HTTPS URI of the token endpoint), composite scope, and some definition of resources grouping (domain, etc.). The realm parameter cannot express this without defining an internal syntax and such a syntax in not likely to match the current rules defined in 2617 for using realm.

One of the main sources of confusion for OAuth 1.0 was what to put in the realm, and how to use it. Because OAuth has a different notion of realm, no one uses that field, just stick something random in there for no good reason.

Realm was specifically designed for use with Basic and Digest and with a browser and human present. It just doesn't scale to new schemes and there is just no justification in defining it as required.

The realm parameter should be defined as a scheme-specific parameter for Basic and Digest and removed from the general framework.


Received on Wednesday, 6 April 2011 23:53:28 UTC