Re: #320: add advice on defining auth scheme parameters

On 2011-10-29 14:23, Willy Tarreau wrote:
> Hi Mark, Julian,
> On Sat, Oct 29, 2011 at 10:23:06PM +1100, Mark Nottingham wrote:
>> I'm +1 on this. Normally we shouldn't have to go to this level of detail, but the syntax here is very brittle, so it's worth doing.
>> Any objections?
> [disclaimer: I've not read the initial issue]
> In the following header from Julian's example :
>       WWW-Authenticate: Newauth realm="apps", type=1,
>                         title="Login to \"apps\"", Basic realm="simple"
> I'm seeing 4 independant comma-delimited values, which could also be
> expressed and individually processed like this with the same meaning :
>       WWW-Authenticate: Newauth realm="apps"
>       WWW-Authenticate: type=1
>       WWW-Authenticate: title="Login to \"apps\""
>       WWW-Authenticate: Basic realm="simple"

...except a recipient would allow to ignore the 2nd and the 3rd because, 
in isolation, they do not conform to the header ABNF.

> I'm not sure this is precisely what's desired since Julian suggested
> there were two challenges in this example (Newauth and Basic). Thus I
> would have written them that way with semi-colons to split the attributes :
>       WWW-Authenticate: Newauth realm="apps"; type=1;
>                         title="Login to \"apps\"", Basic realm="simple"
> which would then be equivalent to :
>       WWW-Authenticate: Newauth realm="apps"; type=1; title="Login to \"apps\""
>       WWW-Authenticate: Basic realm="simple"
> It would be nice to clarify this point since it can be confusing.


indeed. WWW-Authenticate is a big mess, because it uses the same 
delimiter *between* challenges and *inside* challenges. We can't change 
that, but we can warn.

The spec already says (and has been in 2617):

"User agents are advised to take special care in parsing the 
WWW-Authenticate field value as it might contain more than one 
challenge, or if more than one WWW-Authenticate header field is 
provided, the contents of a challenge itself can contain a 
comma-separated list of authentication parameters."

Best regards, Julian

Received on Saturday, 29 October 2011 12:38:48 UTC