Question about the "One Round-Trip Reauthentication" for HTTP SCRAM (RFC 7804) from Stephan Bosch on 2024-11-05 (ietf-http-wg@w3.org from October to December 2024)

From: Stephan Bosch <stephan@rename-it.nl>
Date: Tue, 5 Nov 2024 02:32:22 +0100
To: ietf-http-wg@w3.org
Message-ID: <a0a589f8-14ca-4cbc-85c5-8295ae130339@rename-it.nl>

Hi,

I have a question about the "One Round-Trip Reauthentication" for HTTP SCRAM (RFC 7804) and I am assuming that this is now the right venue to ask questions about this HTTP authentication scheme. I've reached out to the author several times more than a year ago, but I never got an answer, so I'm trying it here now.

The re-authentication issues basically just a client-final-message using the server nonce announced earlier in the server's "sr" parameter. That sounded fine to me before at first glance, but while trying to make a quick server-side implementation of this, I hit a snag. How is the server supposed to know for which user the client is re-authenticating based only on the client-final-message? There is no "sid" from the earlier authentication used in the Authorization header and no username is part of the client-final-message, nor is there any other way to identify the user from the new request form what I can see. As you know, within HTTP, the assumption that all requests are from the same client and in fact the same user or entity is a bad one.

So, what do I do? Am I missing something?

Regards,

Stephan.

Received on Wednesday, 6 November 2024 08:49:53 UTC