Re: #320: add advice on defining auth scheme parameters

On 2011-10-27 22:03, Julian Reschke wrote:
> (copied from new ticket, triggered from current discussion over in the
> oauth WG:)
>
> When new schemes define new auth parameters, they of course need to
> stick to the base syntax.
>
> In theory they *can* profile the allowable syntax, but doing so will not
> work well with consumers that use auth-scheme-agnostic parsers. It's
> thus best to define auth params based on what a parser would return
> *after* processing quoted-strings.

Proposed change: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff>

This adds in "Considerations for New Authentication Schemes":

    o  The parsing of challenges and credentials is defined by this
       specification, and cannot be modified by new authentication
       schemes.  When the auth-param syntax is used, all parameters ought
       to support both token and quoted-string syntax, and syntactical
       constraints ought to be defined on the field value after parsing
       (i.e., quoted-string processing).  This is necessary so that
       recipients can use a generic parser that applies to all
       authentication schemes.

       Note: the fact that "realm" only allows quoted-string syntax was a
       bad design choice not to be repeated in new schemes.

and also adds an example for WWW-Authenticate with multiple challenges:

    For instance:

      WWW-Authenticate: Newauth realm="apps", type=1,
                        title="Login to \"apps\"", Basic realm="simple"

    This header field contains two challenges; one for the "Newauth"
    scheme with a realm value of "apps", and two additional parameters
    "type" and "title", and another one for the "Basic" scheme with a
    realm value of "simple".

Feedback appreciated,

Julian

Received on Friday, 28 October 2011 17:16:09 UTC