Re: Adding user@ to HTTP[S] URIs

Hey,

> I'm not suggesting that curl's way of treating this information is the
> golden standard or anything neither for URI parsing nor HTTP headers.

It is a bit specific to Curl, I suppose; as a cmdline tool it tries very hard to not need interaction, and so a choice has been made to silently add the colon after a user name and construct Basic authentication.

Still, I'm happy that the presense of a colon seems to make all the difference in what I expect to be the practical use-case -- supplying a password for resource access.

> I'm just providing datapoints showing this is a tough change. (curl
> has supported this URI style since 2003)

Yes, this is tough; I've been pounding at an identity architecture for 4-5 years, and surprisingly.  HTTP is the most difficult protocol to deal with, its semantics being relatively light (compared to LDAP, say) and having collected so much history of assumed extensions to those semantics.  In comparison, SASL, TLS and even Kerberos are much easier to work on!

I thank you for the data points, they are pleasantly concrete.  To be honest, due to the rare use of user names in HTTP I am not expecting any more tough points.  Still, open to hear about any concrete technical issues that this list brings up.

Thanks,
 -Rick

Received on Monday, 27 January 2020 15:03:56 UTC