Re: #320: add advice on defining auth scheme parameters from Yutaka OIWA on 2011-10-29 (ietf-http-wg@w3.org from October to December 2011)

From: Yutaka OIWA <y.oiwa@aist.go.jp>
Date: Sat, 29 Oct 2011 13:54:21 +0000
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAL8DUN8gSj6DBdGFJYB0Ducvo4C2EeuJFj1YpvnfGN0xrp7J7w@mail.gmail.com>

mostly +1 for requiring generic-parser-compatible syntaxes.

Could you explain what

     Note: the fact that "realm" only allows quoted-string syntax was a
     bad design choice not to be repeated in new schemes.

means?
I don't think it is a bad idea, as long as ["realm=" token] pattern is
not valid.  (because it is equivalent to use a generic parser first and
then to require quoted-string as a value.)

2011/10/28 Julian Reschke <julian.reschke@gmx.de>:
> On 2011-10-27 22:03, Julian Reschke wrote:
>>
>> (copied from new ticket, triggered from current discussion over in the
>> oauth WG:)
>>
>> When new schemes define new auth parameters, they of course need to
>> stick to the base syntax.
>>
>> In theory they *can* profile the allowable syntax, but doing so will not
>> work well with consumers that use auth-scheme-agnostic parsers. It's
>> thus best to define auth params based on what a parser would return
>> *after* processing quoted-strings.
>
> Proposed change:
> <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/320/320.diff>
>
> This adds in "Considerations for New Authentication Schemes":
>
>   o  The parsing of challenges and credentials is defined by this
>      specification, and cannot be modified by new authentication
>      schemes.  When the auth-param syntax is used, all parameters ought
>      to support both token and quoted-string syntax, and syntactical
>      constraints ought to be defined on the field value after parsing
>      (i.e., quoted-string processing).  This is necessary so that
>      recipients can use a generic parser that applies to all
>      authentication schemes.
>
>      Note: the fact that "realm" only allows quoted-string syntax was a
>      bad design choice not to be repeated in new schemes.
>
> and also adds an example for WWW-Authenticate with multiple challenges:
>
>   For instance:
>
>     WWW-Authenticate: Newauth realm="apps", type=1,
>                       title="Login to \"apps\"", Basic realm="simple"
>
>   This header field contains two challenges; one for the "Newauth"
>   scheme with a realm value of "apps", and two additional parameters
>   "type" and "title", and another one for the "Basic" scheme with a
>   realm value of "simple".
>
> Feedback appreciated,
>
> Julian
>
>
>

Received on Saturday, 29 October 2011 13:55:00 UTC