Ignore:
Timestamp:
Feb 3, 2008, 11:38:52 AM (12 years ago)
Author:
julian.reschke@…
Message:

Explicitly import BNF rules for "challenge" and "credentials" from RFC2617; addresses #36.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r189 r191  
    524524      <p id="rfc.section.1.p.2">HTTP provides several <em class="bcp14">OPTIONAL</em> challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to
    525525         provide authentication information. The general framework for access authentication, and the specification of "basic" and
    526          "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification.
    527       </p>
    528       <h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a>&nbsp;<a id="intro.requirements" href="#intro.requirements">Requirements</a></h2>
     526         "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification:
     527      </p>
     528      <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span>  challenge   = &lt;challenge, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>&gt;
     529  credentials = &lt;credentials, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>&gt;
     530</pre><h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a>&nbsp;<a id="intro.requirements" href="#intro.requirements">Requirements</a></h2>
    529531      <p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
    530532         in this document are to be interpreted as described in <a href="#RFC2119" id="rfc.xref.RFC2119.1"><cite title="Key words for use in RFCs to Indicate Requirement Levels">[RFC2119]</cite></a>.
     
    534536      <h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;Status Code Definitions
    535537      </h1>
    536       <div id="rfc.iref."></div>
     538      <div id="rfc.iref.2"></div>
    537539      <div id="rfc.iref.s.1"></div>
    538540      <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2>
     
    540542         refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has
    541543         already attempted authentication at least once, then the user <em class="bcp14">SHOULD</em> be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP
    542          access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.
    543       </p>
    544       <div id="rfc.iref.1"></div>
     544         access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.
     545      </p>
     546      <div id="rfc.iref.3"></div>
    545547      <div id="rfc.iref.s.2"></div>
    546548      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2>
    547549      <p id="rfc.section.2.2.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy. The
    548          proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;3.2</a>) containing a challenge applicable to the proxy for the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;3.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.
     550         proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;3.2</a>) containing a challenge applicable to the proxy for the requested resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;3.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>.
    549551      </p>
    550552      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="header.fields" href="#header.fields">Header Field Definitions</a></h1>
     
    557559         containing the authentication information of the user agent for the realm of the resource being requested.
    558560      </p>
    559       <div id="rfc.figure.u.1"></div><pre class="inline"><span id="rfc.iref.g.1"></span>  Authorization  = "Authorization" ":" credentials
    560 </pre><p id="rfc.section.3.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise,
     561      <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.3"></span>  Authorization  = "Authorization" ":" credentials
     562</pre><p id="rfc.section.3.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise,
    561563         such as credentials that vary according to a challenge value or using synchronized clocks).
    562564      </p>
     
    580582         the authentication scheme and parameters applicable to the proxy for this Request-URI.
    581583      </p>
    582       <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.2"></span>  Proxy-Authenticate  = "Proxy-Authenticate" ":" 1#challenge
    583 </pre><p id="rfc.section.3.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting
     584      <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  Proxy-Authenticate  = "Proxy-Authenticate" ":" 1#challenge
     585</pre><p id="rfc.section.3.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting
    584586         them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate
    585587         header field.
     
    592594         user agent for the proxy and/or realm of the resource being requested.
    593595      </p>
    594       <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.3"></span>  Proxy-Authorization     = "Proxy-Authorization" ":" credentials
    595 </pre><p id="rfc.section.3.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication
     596      <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.g.5"></span>  Proxy-Authorization     = "Proxy-Authorization" ":" credentials
     597</pre><p id="rfc.section.3.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.9"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication
    596598         using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed
    597599         by the first outbound proxy that was expecting to receive credentials. A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively
     
    604606         authentication scheme(s) and parameters applicable to the Request-URI.
    605607      </p>
    606       <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge
    607 </pre><p id="rfc.section.3.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
     608      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.6"></span>  WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge
     609</pre><p id="rfc.section.3.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.10"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
    608610         challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
    609611         comma-separated list of authentication parameters.
     
    700702      <h2 id="rfc.section.B.3"><a href="#rfc.section.B.3">B.3</a>&nbsp;Since draft-ietf-httpbis-p7-auth-01
    701703      </h2>
     704      <p id="rfc.section.B.3.p.1">Ongoing work on ABNF conversion (&lt;<a href="http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36">http://www3.tools.ietf.org/wg/httpbis/trac/ticket/36</a>&gt;):
     705      </p>
     706      <ul>
     707         <li>Explicitly import BNF rules for "challenge" and "credentials" from RFC2617.</li>
     708      </ul>
    702709      <h1><a id="rfc.copyright" href="#rfc.copyright">Full Copyright Statement</a></h1>
    703710      <p>Copyright © The IETF Trust (2008).</p>
     
    733740         <ul class="ind">
    734741            <li class="indline0"><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul class="ind">
    735                   <li class="indline1">401 Unauthorized (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref."><b>2.1</b></a></li>
    736                   <li class="indline1">407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.1"><b>2.2</b></a></li>
     742                  <li class="indline1">401 Unauthorized (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.2"><b>2.1</b></a></li>
     743                  <li class="indline1">407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.3"><b>2.2</b></a></li>
    737744               </ul>
    738745            </li>
     
    744751                  <li class="indline1"><tt>Grammar</tt>&nbsp;&nbsp;
    745752                     <ul class="ind">
    746                         <li class="indline1"><tt>Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.1"><b>3.1</b></a></li>
    747                         <li class="indline1"><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.2"><b>3.2</b></a></li>
    748                         <li class="indline1"><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.3"><b>3.3</b></a></li>
    749                         <li class="indline1"><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.4"><b>3.4</b></a></li>
     753                        <li class="indline1"><tt>Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.3"><b>3.1</b></a></li>
     754                        <li class="indline1"><tt>challenge</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.1"><b>1</b></a></li>
     755                        <li class="indline1"><tt>credentials</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.2"><b>1</b></a></li>
     756                        <li class="indline1"><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.4"><b>3.2</b></a></li>
     757                        <li class="indline1"><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.5"><b>3.3</b></a></li>
     758                        <li class="indline1"><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.6"><b>3.4</b></a></li>
    750759                     </ul>
    751760                  </li>
     
    775784                  <li class="indline1"><em>RFC2119</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2119.1">1.1</a>, <a class="iref" href="#RFC2119"><b>7.1</b></a></li>
    776785                  <li class="indline1"><em>RFC2616</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2616.1">1</a>, <a class="iref" href="#RFC2616"><b>7.2</b></a>, <a class="iref" href="#rfc.xref.RFC2616.2">B.1</a></li>
    777                   <li class="indline1"><em>RFC2617</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#rfc.xref.RFC2617.3">2.1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.5">3.1</a>, <a class="iref" href="#rfc.xref.RFC2617.6">3.2</a>, <a class="iref" href="#rfc.xref.RFC2617.7">3.3</a>, <a class="iref" href="#rfc.xref.RFC2617.8">3.4</a>, <a class="iref" href="#RFC2617"><b>7.1</b></a></li>
     786                  <li class="indline1"><em>RFC2617</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#rfc.xref.RFC2617.3">1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1</a>, <a class="iref" href="#rfc.xref.RFC2617.5">2.1</a>, <a class="iref" href="#rfc.xref.RFC2617.6">2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.7">3.1</a>, <a class="iref" href="#rfc.xref.RFC2617.8">3.2</a>, <a class="iref" href="#rfc.xref.RFC2617.9">3.3</a>, <a class="iref" href="#rfc.xref.RFC2617.10">3.4</a>, <a class="iref" href="#RFC2617"><b>7.1</b></a><ul class="ind">
     787                        <li class="indline1"><em>Section 1.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.3">1</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1</a></li>
     788                     </ul>
     789                  </li>
    778790               </ul>
    779791            </li>
Note: See TracChangeset for help on using the changeset viewer.