Changeset 1465 for draft-ietf-httpbis/latest/p7-auth.html

Timestamp:

31/10/11 08:58:42 (11 years ago)

Author:

julian.reschke@…

Message:

Explain that new authentication schemes can not override the parsing rules for WWW-Authenticate with respect to param value syntax, and also add an example for a non-trivial to parse header field instance (see #320)

File:

• draft-ietf-httpbis/latest/p7-auth.html (modified) (5 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -750 +750 @@
          </li>
          <li>
+            <p>The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes.
+               When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints
+               ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients
+               can use a generic parser that applies to all authentication schemes.
+            </p>
+            <p> <b>Note:</b> the fact that the value syntax for the "realm" parameter is restricted to quoted-string was a bad design choice not to be
+               repeated for new parameters.
+            </p>
+         </li>
+         <li>
             <p>Authentication schemes need to document whether they are usable in origin-server authentication (i.e., using WWW-Authenticate),
                and/or proxy authentication (i.e., using Proxy-Authenticate).
@@ -842 +852 @@
          challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
          comma-separated list of authentication parameters.
+      </p>
+      <div id="rfc.figure.u.10"></div> 
+      <p>For instance:</p>  <pre class="text">  WWW-Authenticate: Newauth realm="apps", type=1,
+                    title="Login to \"apps\"", Basic realm="simple"
+</pre>  <p>This header field contains two challenges; one for the "Newauth" scheme with a realm value of "apps", and two additional parameters
+         "type" and "title", and another one for the "Basic" scheme with a realm value of "simple".
       </p>
       <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="IANA.considerations" href="#IANA.considerations">IANA Considerations</a></h1>
@@ -1043 +1059 @@
       </p>
       <h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a>&nbsp;<a id="collected.abnf" href="#collected.abnf">Collected ABNF</a></h1>
-      <div id="rfc.figure.u.10"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
+      <div id="rfc.figure.u.11"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
 
 <a href="#core.rules" class="smpl">BWS</a> = &lt;BWS, defined in [Part1], Section 1.2.2&gt;
@@ -1073 +1089 @@
 
 <a href="#core.rules" class="smpl">token</a> = &lt;token, defined in [Part1], Section 3.2.3&gt;
-</pre> <div id="rfc.figure.u.11"></div>
+</pre> <div id="rfc.figure.u.12"></div>
       <p>ABNF diagnostics:</p><pre class="inline">; Authorization defined but not used
 ; Proxy-Authenticate defined but not used
@@ -1186 +1202 @@
       <ul>
          <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/186">http://tools.ietf.org/wg/httpbis/trac/ticket/186</a>&gt;: "Document HTTP's error-handling philosophy"
+         </li>
+         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/320">http://tools.ietf.org/wg/httpbis/trac/ticket/320</a>&gt;: "add advice on defining auth scheme parameters"
          </li>
       </ul>