#195, was: ABNF for Authorization header not quite right

On 2011-04-01 08:17, Manger, James H wrote:
> The ABNF in draft-ietf-httpbis-p7-auth-13 still doesn't match what the BASIC scheme needs (or NTLM or NEGOTIATE or BEARER etc).
>
> Draft 13 says:
>    credentials = auth-scheme ( token / quoted-string / #auth-param )
>
> BASIC, however, effectively uses:
>    credentials = auth-scheme base64
>
> <base64>  includes the characters '/' and '=' that are not in<token>
> [draft-ietf-httpbis-p1-messaging-13#section-1.2.2]

Good catch. Could be fixed by relaxing "token" as well, but I'm not sure 
that we want to go there...

> I suggest changing the ABNF to the following:
>
>    credentials = auth-scheme SP ( b64 / #auth-param )
>
>    b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
>
>    <b64>  includes the 66 unreserved URI characters plus a few others.
>    It can hold a base64, base64url (URL and filename safe alphabet),
>    base32, or base16 (hex) encoding, with or without padding, but
>    excluding whitespace [RFC4648].
>
>
> This accepts authentication schemes that transmit a base64 blob instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It also accepts dot-separated base64url blobs, as proposed in new specs such as JSON Web Tokens.
>
> I dropped<quoted-string>  as I don't know where that came from. Perhaps it was added with<token>  as they are often a pair. If there are no existing uses (and I don't know of any) it adds no value.

Indeed.

Maybe we need

   credentials = auth-scheme SP #( b64 / auth-param )

though? As far as I can tell, RFC 4559 uses that.

Also: RFC 4559 seems to need this for the challenge as well...

> I added<SP>  as I understand HTTPbis is making a global change to be explicit with whitespace.

Oops; separate bug. Now #309.

> This change would reopen ticket #195.

It has; sorry for not processing it faster.

Best regards, Julian

Received on Wednesday, 27 July 2011 17:58:52 UTC