Re: #320: add advice on defining auth scheme parameters from Julian Reschke on 2011-10-29 (ietf-http-wg@w3.org from October to December 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 29 Oct 2011 14:38:14 +0200
To: Willy Tarreau <w@1wt.eu>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4EABF3B6.4020707@gmx.de>

On 2011-10-29 14:23, Willy Tarreau wrote:
> Hi Mark, Julian,
>
> On Sat, Oct 29, 2011 at 10:23:06PM +1100, Mark Nottingham wrote:
>> I'm +1 on this. Normally we shouldn't have to go to this level of detail, but the syntax here is very brittle, so it's worth doing.
>>
>> Any objections?
>
> [disclaimer: I've not read the initial issue]
>
> In the following header from Julian's example :
>
>       WWW-Authenticate: Newauth realm="apps", type=1,
>                         title="Login to \"apps\"", Basic realm="simple"
>
> I'm seeing 4 independant comma-delimited values, which could also be
> expressed and individually processed like this with the same meaning :
>
>       WWW-Authenticate: Newauth realm="apps"
>       WWW-Authenticate: type=1
>       WWW-Authenticate: title="Login to \"apps\""
>       WWW-Authenticate: Basic realm="simple"

...except a recipient would allow to ignore the 2nd and the 3rd because, 
in isolation, they do not conform to the header ABNF.

> I'm not sure this is precisely what's desired since Julian suggested
> there were two challenges in this example (Newauth and Basic). Thus I
> would have written them that way with semi-colons to split the attributes :
>
>       WWW-Authenticate: Newauth realm="apps"; type=1;
>                         title="Login to \"apps\"", Basic realm="simple"
>
> which would then be equivalent to :
>
>       WWW-Authenticate: Newauth realm="apps"; type=1; title="Login to \"apps\""
>       WWW-Authenticate: Basic realm="simple"
>
> It would be nice to clarify this point since it can be confusing.

Willy,

indeed. WWW-Authenticate is a big mess, because it uses the same 
delimiter *between* challenges and *inside* challenges. We can't change 
that, but we can warn.

The spec already says (and has been in 2617):

"User agents are advised to take special care in parsing the 
WWW-Authenticate field value as it might contain more than one 
challenge, or if more than one WWW-Authenticate header field is 
provided, the contents of a challenge itself can contain a 
comma-separated list of authentication parameters."

Best regards, Julian

Received on Saturday, 29 October 2011 12:38:48 UTC