- From: Armen Michaeli <armen.michaeli@gmail.com>
- Date: Sat, 21 Jun 2025 12:28:12 +0200
- To: ietf-http-wg@w3.org
Hi all, Quoting second paragraph in section 15.5.2 of "HTTP Semantics", at https://www.rfc-editor.org/rfc/rfc9110.html#section-15.5.2: > If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field (Section 11.6.2). If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information. Drawing your attention to the last sentence in the quote above, the word "challenge" (singular form) confuses me: since `WWW-Authenticate` is allowed to contain _multiple challenges (plural) -- how do I then interpret the "contains the same challenge as the prior response" if the "prior response" happened to specify _more than one_ challenge with its `WWW-Authenticate` header? By similar logic, what if the follow-up response did? Or, more generally, what if there were specified multiple challenges on either, and what if the values (lists) are different but contain identical elements? Do I duly use the word "contains" as my cue here -- as in, if any [single] challenge that is part of the `WWW-Authenticate` header in _either_ response, is one of the challenges presented by the other, then the condition is fulfilled? I guess that would make most sense, interpretation wise? Now, I kind of suspect there's no practical case for the server ever returning two different values as the `WWW-Authenticate` header on the two responses in the series, in which case my issue is moot, I guess, but if that did for some reason happen? -- I suppose I am approaching this from the client's perspective. Thank you.
Received on Thursday, 26 June 2025 19:50:45 UTC