- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 26 Nov 2008 21:38:31 +0000 (UTC)
On Wed, 26 Nov 2008, Julian Reschke wrote: > Ian Hickson wrote: > > > > > RFC2617 states that "The realm directive (case-insensitive) is > > > > > required > > > > > for all authentication schemes that issue a challenge." > > > > I didn't really understand how the realm would work here, which is why I > > > > didn't include it. Is this a case where we should violate RFC2617? (Note > > > > that we're in a rather unusual case here because the challenge never > > > > gets a > > > > reply in the traditional sense.) > > > Unless there's an ultra-important reason to violate any base requirements, > > > I would advise against it. > > > > "They make no sense" is a pretty important reason. What would "realm" mean > > in this context? Who would use it and how? How would you know what value to > > set it to? > > I don't see how the realm is different here, compared to, for instance, > Basic Auth. > > If there is only a single realm, the simplest compliant approach seems > to define a single hardwired realm name. Ok let me rephrase. What are the user agent requirements for processing the "realm" value? For other schemes, it's basically "show the realm to the user as a hint as to what password is wanted". But here we aren't going to show anything to the user. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 26 November 2008 13:38:31 UTC