- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 28 Oct 2011 19:15:29 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-10-27 22:03, Julian Reschke wrote: > (copied from new ticket, triggered from current discussion over in the > oauth WG:) > > When new schemes define new auth parameters, they of course need to > stick to the base syntax. > > In theory they *can* profile the allowable syntax, but doing so will not > work well with consumers that use auth-scheme-agnostic parsers. It's > thus best to define auth params based on what a parser would return > *after* processing quoted-strings. Proposed change: <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff> This adds in "Considerations for New Authentication Schemes": o The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes. When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients can use a generic parser that applies to all authentication schemes. Note: the fact that "realm" only allows quoted-string syntax was a bad design choice not to be repeated in new schemes. and also adds an example for WWW-Authenticate with multiple challenges: For instance: WWW-Authenticate: Newauth realm="apps", type=1, title="Login to \"apps\"", Basic realm="simple" This header field contains two challenges; one for the "Newauth" scheme with a realm value of "apps", and two additional parameters "type" and "title", and another one for the "Basic" scheme with a realm value of "simple". Feedback appreciated, Julian
Received on Friday, 28 October 2011 17:16:09 UTC