Re: #195, was: ABNF for Authorization header not quite right from Julian Reschke on 2011-07-28 (ietf-http-wg@w3.org from July to September 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 28 Jul 2011 18:35:49 +0200
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <4E318FE5.4010005@gmx.de>

On 2011-07-28 17:06, Julian Reschke wrote:
> On 2011-07-28 02:45, Manger, James H wrote:
>>>> I suggest changing the ABNF to the following:
>>>>
>>>> credentials = auth-scheme SP ( b64 / #auth-param )
>>>>
>>>> b64 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
>>>>
>>>> <b64> includes the 66 unreserved URI characters plus a few others.
>>>> It can hold a base64, base64url (URL and filename safe alphabet),
>>>> base32, or base16 (hex) encoding, with or without padding, but
>>>> excluding whitespace [RFC4648].
>>>>
>>>>
>>>> This accepts authentication schemes that transmit a base64 blob
>>>> instead of name=value pairs (such as BASIC, NTLM, NEGOTIATE). It
>>>> also accepts dot-separated base64url blobs, as proposed in new specs
>>>> such as JSON Web Tokens.
>>>>
>>>> I dropped<quoted-string> as I don't know where that came from.
>>>> Perhaps it was added with<token> as they are often a pair. If there
>>>> are no existing uses (and I don't know of any) it adds no value.
>>
>>> Indeed.
>>>
>>> Maybe we need
>>>
>>> credentials = auth-scheme SP #( b64 / auth-param )
>>
>> I doubt we need that. I have never seen a NTLM or Negotiate scheme
>> header with more than 1 base64 blob.
>
> Ack.
>
>>> though? As far as I can tell, RFC 4559 uses that.
>>>
>>> Also: RFC 4559 seems to need this for the challenge as well...
>>
>>
>> RFC 4559 "SPEGNO/NTLM/Negotiate" might specify that, but I don't think
>> it can work as it makes parsing ambiguous. For instance, does the
>> following response header include 1 scheme with 4 parameters, or 2 or
>> 3 schemes? Is "tuv" another authentication scheme supported by this
>> server, or a parameter of the "ABC" scheme?
>> WWW-Authenticate: ABC xyz, a=1, qrs, tuv
>
> The ABNF says:
>
> challenge = auth-scheme 1*SP 1#auth-param
>
> so there needs to be at least one auth-param, separated by one or more SPs.
>
> That being said, we may have to rethink the use of the list production
> here.
>
> Keep in mind that 1#auth-param allosws
>
> scheme auth-param
>
> but also
>
> scheme ,auth-param
>
> because of the specific rules for empty list elements.
> ...

Added test cases at

   http://greenbytes.de/tech/tc/httpauth/#simplebasiccomma

and

   http://greenbytes.de/tech/tc/httpauth/#simplebasiccomma2

Surprisingly, most UAs (exception: Safari) get this right.

That being said, I think we should disallow leading empty list elements 
in prose, or rewrite the ABNF not to use #.

Feedback appreciated,

Julian

Received on Thursday, 28 July 2011 16:36:21 UTC