Ambiguous case in WWW-Authenticate grammar? from Jesse Wilson on 2014-04-21 (ietf-http-wg@w3.org from April to June 2014)

From: Jesse Wilson <jesse@swank.ca>
Date: Sun, 20 Apr 2014 22:15:46 -0400
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAME=j1=J7xWaeFYQ1+OVon-vfaVK=2qe29pJUhtxTHYTB5Ubdg@mail.gmail.com>

I’m working on improving the Challenge/Credential API of
OkHttp<https://github.com/square/okhttp>and I’ve stumbled across a
curious case in the grammar. Specifically in auth
section 2.1<https://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-26#section-2.1>),
which says this:

   challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
   auth-param  = token BWS "=" BWS ( token / quoted-string )
   token68     = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="

Suppose I receive this response header:

WWW-Authenticate: Wink ABC=

Is ABC= a four character token68? Or is it a parameter named ABC whose
value is the empty string?

My current plan is to defer interpreting the header until the application
layer requests it. But that approach is not particularly satisfying.

Thanks!

Received on Monday, 21 April 2014 02:16:34 UTC