- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Fri, 22 Mar 2013 03:27:14 +1300
- To: ietf-http-wg@w3.org
On 22/03/2013 12:42 a.m., Ken Murchison wrote: > Julian Reschke wrote: >> On 2013-03-20 01:46, Manger, James H wrote: >>> Björn, >>> >>> '=' is only allowed at the end to ensure the syntax is unambiguous. >>> A token68 value can only be distinguished from an auth-param >>> (token = (token / quoted-string)) due to this restriction. >>> >>> Let's keep token68 as it is. >>> >>> -- >>> James Manger >>> ... >> >> As far as I can tell, if a given scheme always uses token68 (such as >> the Basic credentials), it's not necessary to be able to distinguish. >> >> We added token68 for "Basic". Basic only needs token68 for >> credentials. Can somebody recall why we added it for challenges as well? > > It looks like Bearer is the scheme that screwed this up by using chars > outside of the base64 alphabet. > Yes. Basic required base64 alphabet for response tokens. NTLM and Negotiate used that but required the tokens in both Request and Response. Bearer required extension characters to avoid base-64 encoding tokens that could come from weird systems like SAML and JSON with internal opaque format delimiters. Amos
Received on Thursday, 21 March 2013 14:27:53 UTC