- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 28 Oct 2011 19:15:29 +0200
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-10-27 22:03, Julian Reschke wrote:
> (copied from new ticket, triggered from current discussion over in the
> oauth WG:)
>
> When new schemes define new auth parameters, they of course need to
> stick to the base syntax.
>
> In theory they *can* profile the allowable syntax, but doing so will not
> work well with consumers that use auth-scheme-agnostic parsers. It's
> thus best to define auth params based on what a parser would return
> *after* processing quoted-strings.
Proposed change:
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff>
This adds in "Considerations for New Authentication Schemes":
o The parsing of challenges and credentials is defined by this
specification, and cannot be modified by new authentication
schemes. When the auth-param syntax is used, all parameters ought
to support both token and quoted-string syntax, and syntactical
constraints ought to be defined on the field value after parsing
(i.e., quoted-string processing). This is necessary so that
recipients can use a generic parser that applies to all
authentication schemes.
Note: the fact that "realm" only allows quoted-string syntax was a
bad design choice not to be repeated in new schemes.
and also adds an example for WWW-Authenticate with multiple challenges:
For instance:
WWW-Authenticate: Newauth realm="apps", type=1,
title="Login to \"apps\"", Basic realm="simple"
This header field contains two challenges; one for the "Newauth"
scheme with a realm value of "apps", and two additional parameters
"type" and "title", and another one for the "Basic" scheme with a
realm value of "simple".
Feedback appreciated,
Julian
Received on Friday, 28 October 2011 17:16:09 UTC