Repeating auth-params

[julian.reschke@…]

We need to add a statement about what it means if a specific auth-param occurs more than once in a challenge; in particular for "realm" (ack James Manger)

[julian.reschke@…]

Test case for realm: ​http://greenbytes.de/tech/tc/httpauth/#simplebasic2realms

[mnot@…]

There seems to be little interop. Can we engage Chrome and see what they think about changing?

Depending upon that, we can either

1. say there's no interop explicitly
2. specify that the first one is to be used

If we can get interop, it'd be nice to define this generically for parameters -- but that's a bigger ask...

[julian.reschke@…]

I don't think it'll be easy to get interop for this, because:

a) in practice, it doesn't matter (nobody relies on it),

b) it's easy to break unintentionally (in FF, the behavior for C-d/filename changed twice over the last four releases due to other changes)

So I believe this is one of those where we should just state it's invalid.

[mnot@…]

OK, why don't we:

1. state that it's invalid
2. add a note to the parameters micro syntax (#266) stating that each parameter should only occur once, and that there isn't interop when implementations receive multiple parameters with the same name

[julian.reschke@…]

Proposed patch

[julian.reschke@…]

From [1473]:

State that auth param names are case-insensitive, and that each name must only occur once per challenge (see #321)