Ignore:
Timestamp:
Aug 9, 2011, 4:19:37 AM (8 years ago)
Author:
julian.reschke@…
Message:

fix ABNF to be compatible with Basic by introducing 'b64token', but recommend against it for new schemes due to poor extensibility story (#see 195)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1389 r1394  
    295295  <x:anchor-alias value="auth-scheme"/>
    296296  <x:anchor-alias value="auth-param"/>
     297  <x:anchor-alias value="b64token"/>
    297298  <x:anchor-alias value="challenge"/>
    298299  <x:anchor-alias value="credentials"/>
     
    301302   that can be used by a server to challenge a client request and by a
    302303   client to provide authentication information. It uses an extensible,
    303    case-insensitive token to identify the authentication scheme,
    304    followed by a comma-separated list of attribute-value pairs which
    305    carry the parameters necessary for achieving authentication via that
    306    scheme.
    307 </t>
    308 <figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/><iref primary="true" item="Grammar" subitem="auth-scheme"/><iref primary="true" item="Grammar" subitem="auth-param"/>
     304   case-insensitive token to identify the authentication scheme, followed
     305   by additional information necessary for achieving authentication via that
     306   scheme. The latter can either be a comma-separated list of attribute-value
     307   pairs or a single sequence of characters capable of holding base64-encoded
     308   information.
     309</t>
     310<figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/><iref primary="true" item="Grammar" subitem="auth-scheme"/><iref primary="true" item="Grammar" subitem="auth-param"/><iref item="b64token" primary="true"/><iref primary="true" item="Grammar" subitem="b64token"/>
    309311  auth-scheme    = <x:ref>token</x:ref>
     312 
    310313  auth-param     = <x:ref>token</x:ref> <x:ref>BWS</x:ref> "=" <x:ref>BWS</x:ref> ( <x:ref>token</x:ref> / <x:ref>quoted-string</x:ref> )
     314
     315  b64token       = 1*( <x:ref>ALPHA</x:ref> / <x:ref>DIGIT</x:ref> /
     316                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
    311317</artwork></figure>
     318<t>
     319   The "b64token" syntax allows the 66 unreserved URI characters (<xref target="RFC3986"/>),
     320   plus a few others, so that it can hold a base64, base64url (URL and filename
     321   safe alphabet), base32, or base16 (hex) encoding, with or without padding, but
     322   excluding whitespace (<xref target="RFC4648"/>).
     323</t>
    312324<t>
    313325   The 401 (Unauthorized) response message is used by an origin server
     
    323335</t>
    324336<figure><artwork type="abnf2616"><iref item="challenge" primary="true"/><iref primary="true" item="Grammar" subitem="challenge"/>
    325   <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> #<x:ref>auth-param</x:ref>
     337  <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> [ 1*<x:ref>SP</x:ref> ( <x:ref>b64token</x:ref> / #<x:ref>auth-param</x:ref> ) ]
    326338</artwork></figure>
    327339<x:note>
     
    361373</t>
    362374<figure><artwork type="abnf2616"><iref item="credentials" primary="true"/><iref primary="true" item="Grammar" subitem="credentials"/>
    363   <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> ( <x:ref>token</x:ref>
    364                                  / <x:ref>quoted-string</x:ref>
    365                                  / #<x:ref>auth-param</x:ref> )
     375  <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> [ 1*<x:ref>SP</x:ref> ( <x:ref>b64token</x:ref> / #<x:ref>auth-param</x:ref> ) ]
    366376</artwork></figure>
    367377<t>
     
    470480      Spaces as defined in <xref target="protection.space"/>. New schemes
    471481      &MUST-NOT; use it in a way incompatible with that definition.
     482    </t>
     483    </x:lt>
     484    <x:lt>
     485    <t>
     486      The "b64token" notation was introduced for compatibility with existing
     487      authentication schemes and can only be used once per challenge/credentials.
     488      New schemes thus ought to use the "auth-param" syntax instead, because
     489      otherwise future extensions will be impossible.
    472490    </t>
    473491    </x:lt>
     
    10361054</reference>
    10371055
     1056<reference anchor="RFC3986">
     1057 <front>
     1058  <title abbrev='URI Generic Syntax'>Uniform Resource Identifier (URI): Generic Syntax</title>
     1059  <author initials='T.' surname='Berners-Lee' fullname='Tim Berners-Lee'>
     1060    <organization abbrev="W3C/MIT">World Wide Web Consortium</organization>
     1061    <address>
     1062       <email>timbl@w3.org</email>
     1063       <uri>http://www.w3.org/People/Berners-Lee/</uri>
     1064    </address>
     1065  </author>
     1066  <author initials='R.' surname='Fielding' fullname='Roy T. Fielding'>
     1067    <organization abbrev="Day Software">Day Software</organization>
     1068    <address>
     1069      <email>fielding@gbiv.com</email>
     1070      <uri>http://roy.gbiv.com/</uri>
     1071    </address>
     1072  </author>
     1073  <author initials='L.' surname='Masinter' fullname='Larry Masinter'>
     1074    <organization abbrev="Adobe Systems">Adobe Systems Incorporated</organization>
     1075    <address>
     1076      <email>LMM@acm.org</email>
     1077      <uri>http://larry.masinter.net/</uri>
     1078    </address>
     1079  </author>
     1080  <date month='January' year='2005'></date>
     1081 </front>
     1082 <seriesInfo name="STD" value="66"/>
     1083 <seriesInfo name="RFC" value="3986"/>
     1084</reference>
     1085
     1086<reference anchor="RFC4648">
     1087  <front>
     1088    <title>The Base16, Base32, and Base64 Data Encodings</title>
     1089    <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
     1090    <date year="2006" month="October"/>
     1091  </front>
     1092  <seriesInfo value="4648" name="RFC"/>
     1093</reference>
     1094
    10381095<reference anchor='RFC5226'>
    10391096  <front>
     
    10621119</t>
    10631120<t>
     1121  The "b64token" alternative to auth-param lists has been added for consistency
     1122  with legacy authentication schemes such as "Basic".
     1123  (<xref target="access.authentication.framework"/>)
     1124</t>
     1125<t>
    10641126  Change ABNF productions for header fields to only define the field value.
    10651127  (<xref target="header.fields"/>)
     
    10871149<x:ref>auth-scheme</x:ref> = token
    10881150
    1089 <x:ref>challenge</x:ref> = auth-scheme 1*SP [ ( "," / auth-param ) *( OWS "," [ OWS
    1090  auth-param ] ) ]
    1091 <x:ref>credentials</x:ref> = auth-scheme 1*SP ( token / quoted-string / [ ( "," /
    1092  auth-param ) *( OWS "," [ OWS auth-param ] ) ] )
     1151<x:ref>b64token</x:ref> = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" )
     1152 *"="
     1153
     1154<x:ref>challenge</x:ref> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) *(
     1155 OWS "," [ OWS auth-param ] ) ] ) ]
     1156<x:ref>credentials</x:ref> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param )
     1157 *( OWS "," [ OWS auth-param ] ) ] ) ]
    10931158
    10941159<x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt;
     
    13031368    </t>
    13041369    <t>
     1370      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/195"/>:
     1371      "auth-param syntax"
     1372    </t>
     1373    <t>
    13051374      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/257"/>:
    13061375      "Considerations for new authentications schemes"
Note: See TracChangeset for help on using the changeset viewer.