31/10/11 08:58:42 (9 years ago)

Explain that new authentication schemes can not override the parsing rules for WWW-Authenticate with respect to param value syntax, and also add an example for a non-trivial to parse header field instance (see #320)

1 edited


  • draft-ietf-httpbis/latest/p7-auth.html

    r1464 r1465  
    750750         </li>
    751751         <li>
     752            <p>The parsing of challenges and credentials is defined by this specification, and cannot be modified by new authentication schemes.
     753               When the auth-param syntax is used, all parameters ought to support both token and quoted-string syntax, and syntactical constraints
     754               ought to be defined on the field value after parsing (i.e., quoted-string processing). This is necessary so that recipients
     755               can use a generic parser that applies to all authentication schemes.
     756            </p>
     757            <p> <b>Note:</b> the fact that the value syntax for the "realm" parameter is restricted to quoted-string was a bad design choice not to be
     758               repeated for new parameters.
     759            </p>
     760         </li>
     761         <li>
    752762            <p>Authentication schemes need to document whether they are usable in origin-server authentication (i.e., using WWW-Authenticate),
    753763               and/or proxy authentication (i.e., using Proxy-Authenticate).
    842852         challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
    843853         comma-separated list of authentication parameters.
     854      </p>
     855      <div id="rfc.figure.u.10"></div>
     856      <p>For instance:</p>  <pre class="text">  WWW-Authenticate: Newauth realm="apps", type=1,
     857                    title="Login to \"apps\"", Basic realm="simple"
     858</pre>  <p>This header field contains two challenges; one for the "Newauth" scheme with a realm value of "apps", and two additional parameters
     859         "type" and "title", and another one for the "Basic" scheme with a realm value of "simple".
    844860      </p>
    845861      <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="IANA.considerations" href="#IANA.considerations">IANA Considerations</a></h1>
    10431059      </p>
    10441060      <h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a>&nbsp;<a id="collected.abnf" href="#collected.abnf">Collected ABNF</a></h1>
    1045       <div id="rfc.figure.u.10"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
     1061      <div id="rfc.figure.u.11"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
    10471063<a href="#core.rules" class="smpl">BWS</a> = &lt;BWS, defined in [Part1], Section 1.2.2&gt;
    10741090<a href="#core.rules" class="smpl">token</a> = &lt;token, defined in [Part1], Section 3.2.3&gt;
    1075 </pre> <div id="rfc.figure.u.11"></div>
     1091</pre> <div id="rfc.figure.u.12"></div>
    10761092      <p>ABNF diagnostics:</p><pre class="inline">; Authorization defined but not used
    10771093; Proxy-Authenticate defined but not used
    11861202      <ul>
    11871203         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/186">http://tools.ietf.org/wg/httpbis/trac/ticket/186</a>&gt;: "Document HTTP's error-handling philosophy"
     1204         </li>
     1205         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/320">http://tools.ietf.org/wg/httpbis/trac/ticket/320</a>&gt;: "add advice on defining auth scheme parameters"
    11881206         </li>
    11891207      </ul>
Note: See TracChangeset for help on using the changeset viewer.