Re: #320: add advice on defining auth scheme parameters from Mark Nottingham on 2011-10-29 (ietf-http-wg@w3.org from October to December 2011)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 29 Oct 2011 22:23:06 +1100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <10768007-3F3D-4A2C-9864-9C1F7E8ACE46@mnot.net>

I'm +1 on this. Normally we shouldn't have to go to this level of detail, but the syntax here is very brittle, so it's worth doing.

Any objections?

Regards,


On 29/10/2011, at 4:15 AM, Julian Reschke wrote:

> On 2011-10-27 22:03, Julian Reschke wrote:
>> (copied from new ticket, triggered from current discussion over in the
>> oauth WG:)
>> 
>> When new schemes define new auth parameters, they of course need to
>> stick to the base syntax.
>> 
>> In theory they *can* profile the allowable syntax, but doing so will not
>> work well with consumers that use auth-scheme-agnostic parsers. It's
>> thus best to define auth params based on what a parser would return
>> *after* processing quoted-strings.
> 
> Proposed change: <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff>
> 
> This adds in "Considerations for New Authentication Schemes":
> 
>   o  The parsing of challenges and credentials is defined by this
>      specification, and cannot be modified by new authentication
>      schemes.  When the auth-param syntax is used, all parameters ought
>      to support both token and quoted-string syntax, and syntactical
>      constraints ought to be defined on the field value after parsing
>      (i.e., quoted-string processing).  This is necessary so that
>      recipients can use a generic parser that applies to all
>      authentication schemes.
> 
>      Note: the fact that "realm" only allows quoted-string syntax was a
>      bad design choice not to be repeated in new schemes.
> 
> and also adds an example for WWW-Authenticate with multiple challenges:
> 
>   For instance:
> 
>     WWW-Authenticate: Newauth realm="apps", type=1,
>                       title="Login to \"apps\"", Basic realm="simple"
> 
>   This header field contains two challenges; one for the "Newauth"
>   scheme with a realm value of "apps", and two additional parameters
>   "type" and "title", and another one for the "Basic" scheme with a
>   realm value of "simple".
> 
> Feedback appreciated,
> 
> Julian
> 
> 

Mark Nottingham
http://www.mnot.net/

Received on Saturday, 29 October 2011 11:23:35 UTC