* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Changeset 1394


Ignore:
Timestamp:
2011-08-09 04:19:37 (3 years ago)
Author:
julian.reschke@gmx.de
Message:

fix ABNF to be compatible with Basic by introducing 'b64token', but recommend against it for new schemes due to poor extensibility story (#see 195)

Location:
draft-ietf-httpbis/latest
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/httpbis.abnf

    r1386 r1394  
    7878auth-scheme = token 
    7979authority = <authority, defined in [RFC3986], Section 3.2> 
     80b64token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" 
    8081byte-content-range-spec = bytes-unit SP byte-range-resp-spec "/" ( instance-length / "*" ) 
    8182byte-range-resp-spec = ( first-byte-pos "-" last-byte-pos ) / "*" 
     
    8889cache-request-directive = "no-cache" / "no-store" / ( "max-age=" delta-seconds ) / ( "max-stale" [ "=" delta-seconds ] ) / ( "min-fresh=" delta-seconds ) / "no-transform" / "only-if-cached" / cache-extension 
    8990cache-response-directive = "public" / ( "private" [ "=" DQUOTE *( "," OWS ) field-name *( OWS "," [ OWS field-name ] ) DQUOTE ] ) / ( "no-cache" [ "=" DQUOTE *( "," OWS ) field-name *( OWS "," [ OWS field-name ] ) DQUOTE ] ) / "no-store" / "no-transform" / "must-revalidate" / "proxy-revalidate" / ( "max-age=" delta-seconds ) / ( "s-maxage=" delta-seconds ) / cache-extension 
    90 challenge = auth-scheme 1*SP [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] 
     91challenge = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) ] 
    9192charset = token 
    9293chunk = chunk-size *WSP [ chunk-ext ] CRLF chunk-data CRLF 
     
    101102content-coding = token 
    102103content-range-spec = byte-content-range-spec / other-content-range-spec 
    103 credentials = auth-scheme 1*SP ( token / quoted-string / [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 
     104credentials = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) ] 
    104105ctext = OWS / %x21-27 ; '!'-''' 
    105106 / %x2A-5B ; '*'-'[' 
  • draft-ietf-httpbis/latest/p7-auth.html

    r1388 r1394  
    359359  }  
    360360  @bottom-center { 
    361        content: "Expires February 9, 2012";  
     361       content: "Expires February 10, 2012";  
    362362  }  
    363363  @bottom-right { 
     
    404404      <meta name="dct.creator" content="Reschke, J. F."> 
    405405      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> 
    406       <meta name="dct.issued" scheme="ISO8601" content="2011-08-08"> 
     406      <meta name="dct.issued" scheme="ISO8601" content="2011-08-09"> 
    407407      <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 
    408408      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework."> 
     
    435435            </tr> 
    436436            <tr> 
    437                <td class="left">Expires: February 9, 2012</td> 
     437               <td class="left">Expires: February 10, 2012</td> 
    438438               <td class="right">HP</td> 
    439439            </tr> 
     
    488488            <tr> 
    489489               <td class="left"></td> 
    490                <td class="right">August 8, 2011</td> 
     490               <td class="right">August 9, 2011</td> 
    491491            </tr> 
    492492         </tbody> 
     
    516516         in progress”. 
    517517      </p> 
    518       <p>This Internet-Draft will expire on February 9, 2012.</p> 
     518      <p>This Internet-Draft will expire on February 10, 2012.</p> 
    519519      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 
    520520      <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p> 
     
    638638      <p id="rfc.section.2.1.p.1">HTTP provides a simple challenge-response authentication mechanism that can be used by a server to challenge a client request 
    639639         and by a client to provide authentication information. It uses an extensible, case-insensitive token to identify the authentication 
    640          scheme, followed by a comma-separated list of attribute-value pairs which carry the parameters necessary for achieving authentication 
    641          via that scheme. 
    642       </p> 
    643       <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.a.1"></span><span id="rfc.iref.a.2"></span><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span>  auth-scheme    = <a href="#core.rules" class="smpl">token</a> 
     640         scheme, followed by additional information necessary for achieving authentication via that scheme. The latter can either be 
     641         a comma-separated list of attribute-value pairs or a single sequence of characters capable of holding base64-encoded information. 
     642      </p> 
     643      <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.a.1"></span><span id="rfc.iref.a.2"></span><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span><span id="rfc.iref.b.1"></span><span id="rfc.iref.g.3"></span>  auth-scheme    = <a href="#core.rules" class="smpl">token</a> 
     644   
    644645  auth-param     = <a href="#core.rules" class="smpl">token</a> <a href="#core.rules" class="smpl">BWS</a> "=" <a href="#core.rules" class="smpl">BWS</a> ( <a href="#core.rules" class="smpl">token</a> / <a href="#core.rules" class="smpl">quoted-string</a> ) 
    645 </pre><p id="rfc.section.2.1.p.3">The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource. 
    646       </p> 
    647       <p id="rfc.section.2.1.p.4">The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource. 
    648       </p> 
    649       <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.c.1"></span><span id="rfc.iref.g.3"></span>  <a href="#challenge.and.response" class="smpl">challenge</a>   = <a href="#challenge.and.response" class="smpl">auth-scheme</a> 1*<a href="#notation" class="smpl">SP</a> #<a href="#challenge.and.response" class="smpl">auth-param</a> 
    650 </pre><div class="note" id="rfc.section.2.1.p.6">  
     646 
     647  b64token       = 1*( <a href="#notation" class="smpl">ALPHA</a> / <a href="#notation" class="smpl">DIGIT</a> / 
     648                       "-" / "." / "_" / "~" / "+" / "/" ) *"="  
     649</pre><p id="rfc.section.2.1.p.3">The "b64token" syntax allows the 66 unreserved URI characters (<a href="#RFC3986" id="rfc.xref.RFC3986.1"><cite title="Uniform Resource Identifier (URI): Generic Syntax">[RFC3986]</cite></a>), plus a few others, so that it can hold a base64, base64url (URL and filename safe alphabet), base32, or base16 (hex) encoding, 
     650         with or without padding, but excluding whitespace (<a href="#RFC4648" id="rfc.xref.RFC4648.1"><cite title="The Base16, Base32, and Base64 Data Encodings">[RFC4648]</cite></a>). 
     651      </p> 
     652      <p id="rfc.section.2.1.p.4">The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource. 
     653      </p> 
     654      <p id="rfc.section.2.1.p.5">The 407 (Proxy Authentication Required) response message is used by a proxy to challenge the authorization of a client and <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource. 
     655      </p> 
     656      <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.c.1"></span><span id="rfc.iref.g.4"></span>  <a href="#challenge.and.response" class="smpl">challenge</a>   = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#notation" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">b64token</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ] 
     657</pre><div class="note" id="rfc.section.2.1.p.7">  
    651658         <p> <b>Note:</b> User agents will need to take special care in parsing the WWW-Authenticate and Proxy-Authenticate header field values because 
    652659            they can contain more than one challenge, or if more than one of each is provided, since the contents of a challenge can itself 
     
    654661         </p>  
    655662      </div> 
    656       <div class="note" id="rfc.section.2.1.p.7">  
     663      <div class="note" id="rfc.section.2.1.p.8">  
    657664         <p> <b>Note:</b> Many browsers fail to parse challenges containing unknown schemes. A workaround for this problem is to list well-supported 
    658665            schemes (such as "basic") first.  
    659666         </p>  
    660667      </div> 
    661       <p id="rfc.section.2.1.p.8">A user agent that wishes to authenticate itself with an origin server — usually, but not necessarily, after receiving a 401 
     668      <p id="rfc.section.2.1.p.9">A user agent that wishes to authenticate itself with an origin server — usually, but not necessarily, after receiving a 401 
    662669         (Unauthorized) — <em class="bcp14">MAY</em> do so by including an Authorization header field with the request. 
    663670      </p> 
    664       <p id="rfc.section.2.1.p.9">A client that wishes to authenticate itself with a proxy — usually, but not necessarily, after receiving a 407 (Proxy Authentication 
     671      <p id="rfc.section.2.1.p.10">A client that wishes to authenticate itself with a proxy — usually, but not necessarily, after receiving a 407 (Proxy Authentication 
    665672         Required) — <em class="bcp14">MAY</em> do so by including a Proxy-Authorization header field with the request. 
    666673      </p> 
    667       <p id="rfc.section.2.1.p.10">Both the Authorization field value and the Proxy-Authorization field value consist of credentials containing the authentication 
     674      <p id="rfc.section.2.1.p.11">Both the Authorization field value and the Proxy-Authorization field value consist of credentials containing the authentication 
    668675         information of the client for the realm of the resource being requested. The user agent <em class="bcp14">MUST</em> choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based 
    669676         upon that challenge. 
    670677      </p> 
    671       <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.c.2"></span><span id="rfc.iref.g.4"></span>  <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> 1*<a href="#notation" class="smpl">SP</a> ( <a href="#core.rules" class="smpl">token</a> 
    672                                  / <a href="#core.rules" class="smpl">quoted-string</a> 
    673                                  / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) 
    674 </pre><p id="rfc.section.2.1.p.12">If the origin server does not wish to accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 401 (Unauthorized) response. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. 
    675       </p> 
    676       <p id="rfc.section.2.1.p.13">If a proxy does not accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 407 (Proxy Authentication Required). The response <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested 
     678      <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.c.2"></span><span id="rfc.iref.g.5"></span>  <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#notation" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">b64token</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ] 
     679</pre><p id="rfc.section.2.1.p.13">If the origin server does not wish to accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 401 (Unauthorized) response. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. 
     680      </p> 
     681      <p id="rfc.section.2.1.p.14">If a proxy does not accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 407 (Proxy Authentication Required). The response <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested 
    677682         resource. 
    678683      </p> 
    679       <p id="rfc.section.2.1.p.14">The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional 
     684      <p id="rfc.section.2.1.p.15">The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional 
    680685         mechanisms <em class="bcp14">MAY</em> be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying 
    681686         authentication information. However, such additional mechanisms are not defined by this specification. 
    682687      </p> 
    683       <p id="rfc.section.2.1.p.15">Proxies <em class="bcp14">MUST</em> forward the WWW-Authenticate and Authorization headers unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>. 
     688      <p id="rfc.section.2.1.p.16">Proxies <em class="bcp14">MUST</em> forward the WWW-Authenticate and Authorization headers unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>. 
    684689      </p> 
    685690      <div id="rfc.iref.p.1"></div> 
     
    687692      <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2> 
    688693      <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection:</p> 
    689       <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.r.2"></span><span id="rfc.iref.r.3"></span><span id="rfc.iref.g.5"></span>  realm       = "realm" "=" realm-value 
     694      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.r.2"></span><span id="rfc.iref.r.3"></span><span id="rfc.iref.g.6"></span>  realm       = "realm" "=" realm-value 
    690695  realm-value = quoted-string 
    691696</pre><p id="rfc.section.2.2.p.3">A <dfn>protection space</dfn> is defined by the canonical root URI (the scheme and authority components of the effective request URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources 
     
    726731         <li> 
    727732            <p>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition. 
     733            </p> 
     734         </li> 
     735         <li> 
     736            <p>The "b64token" notation was introduced for compatibility with existing authentication schemes and can only be used once per 
     737               challenge/credentials. New schemes thus ought to use the "auth-param" syntax instead, because otherwise future extensions 
     738               will be impossible. 
    728739            </p> 
    729740         </li> 
     
    744755      </ul> 
    745756      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 
    746       <div id="rfc.iref.13"></div> 
     757      <div id="rfc.iref.15"></div> 
    747758      <div id="rfc.iref.s.1"></div> 
    748759      <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2> 
     
    752763         information. 
    753764      </p> 
    754       <div id="rfc.iref.14"></div> 
     765      <div id="rfc.iref.16"></div> 
    755766      <div id="rfc.iref.s.2"></div> 
    756767      <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2> 
     
    767778         for the realm of the resource being requested. 
    768779      </p> 
    769       <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.6"></span>  <a href="#header.authorization" class="smpl">Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> 
     780      <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.authorization" class="smpl">Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> 
    770781</pre><p id="rfc.section.4.1.p.3">If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, 
    771782         such as credentials that vary according to a challenge value or using synchronized clocks). 
     
    790801         to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 
    791802      </p> 
    792       <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
     803      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
    793804</pre><p id="rfc.section.4.2.p.3">Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting 
    794805         them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate 
     
    802813         the resource being requested. 
    803814      </p> 
    804       <div id="rfc.figure.u.8"></div><pre class="inline"><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> 
     815      <div id="rfc.figure.u.8"></div><pre class="inline"><span id="rfc.iref.g.9"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a> 
    805816</pre><p id="rfc.section.4.3.p.3">Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication 
    806817         using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed 
     
    817828         response. 
    818829      </p> 
    819       <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.9"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
     830      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.10"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> 
    820831</pre><p id="rfc.section.4.4.p.4">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one 
    821832         challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a 
     
    962973      <h2 id="rfc.references.2"><a href="#rfc.section.8.2" id="rfc.section.8.2">8.2</a> Informative References 
    963974      </h2> 
    964       <table>         
     975      <table>             
    965976         <tr> 
    966977            <td class="reference"><b id="RFC2616">[RFC2616]</b></td> 
     
    976987            <td class="reference"><b id="RFC3864">[RFC3864]</b></td> 
    977988            <td class="top"><a href="mailto:GK-IETF@ninebynine.org" title="Nine by Nine">Klyne, G.</a>, <a href="mailto:mnot@pobox.com" title="BEA Systems">Nottingham, M.</a>, and <a href="mailto:JeffMogul@acm.org" title="HP Labs">J. Mogul</a>, “<a href="http://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>”, BCP&nbsp;90, RFC&nbsp;3864, September&nbsp;2004. 
     989            </td> 
     990         </tr> 
     991         <tr> 
     992            <td class="reference"><b id="RFC3986">[RFC3986]</b></td> 
     993            <td class="top"><a href="mailto:timbl@w3.org" title="World Wide Web Consortium">Berners-Lee, T.</a>, <a href="mailto:fielding@gbiv.com" title="Day Software">Fielding, R.</a>, and <a href="mailto:LMM@acm.org" title="Adobe Systems Incorporated">L. Masinter</a>, “<a href="http://tools.ietf.org/html/rfc3986">Uniform Resource Identifier (URI): Generic Syntax</a>”, STD&nbsp;66, RFC&nbsp;3986, January&nbsp;2005. 
     994            </td> 
     995         </tr> 
     996         <tr> 
     997            <td class="reference"><b id="RFC4648">[RFC4648]</b></td> 
     998            <td class="top">Josefsson, S., “<a href="http://tools.ietf.org/html/rfc4648">The Base16, Base32, and Base64 Data Encodings</a>”, RFC&nbsp;4648, October&nbsp;2006. 
    978999            </td> 
    9791000         </tr> 
     
    10061027         (<a href="#access.authentication.framework" title="Access Authentication Framework">Section&nbsp;2</a>) 
    10071028      </p> 
    1008       <p id="rfc.section.A.p.2">Change ABNF productions for header fields to only define the field value. (<a href="#header.fields" title="Header Field Definitions">Section&nbsp;4</a>) 
     1029      <p id="rfc.section.A.p.2">The "b64token" alternative to auth-param lists has been added for consistency with legacy authentication schemes such as "Basic". 
     1030         (<a href="#access.authentication.framework" title="Access Authentication Framework">Section&nbsp;2</a>) 
     1031      </p> 
     1032      <p id="rfc.section.A.p.3">Change ABNF productions for header fields to only define the field value. (<a href="#header.fields" title="Header Field Definitions">Section&nbsp;4</a>) 
    10091033      </p> 
    10101034      <h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a>&nbsp;<a id="collected.abnf" href="#collected.abnf">Collected ABNF</a></h1> 
     
    10251049<a href="#challenge.and.response" class="smpl">auth-scheme</a> = token 
    10261050 
    1027 <a href="#challenge.and.response" class="smpl">challenge</a> = auth-scheme 1*SP [ ( "," / auth-param ) *( OWS "," [ OWS 
    1028  auth-param ] ) ] 
    1029 <a href="#challenge.and.response" class="smpl">credentials</a> = auth-scheme 1*SP ( token / quoted-string / [ ( "," / 
    1030  auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 
     1051<a href="#challenge.and.response" class="smpl">b64token</a> = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 
     1052 *"=" 
     1053 
     1054<a href="#challenge.and.response" class="smpl">challenge</a> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) *( 
     1055 OWS "," [ OWS auth-param ] ) ] ) ] 
     1056<a href="#challenge.and.response" class="smpl">credentials</a> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) 
     1057 *( OWS "," [ OWS auth-param ] ) ] ) ] 
    10311058 
    10321059<a href="#core.rules" class="smpl">quoted-string</a> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt; 
     
    11361163         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/177">http://tools.ietf.org/wg/httpbis/trac/ticket/177</a>&gt;: "Realm required on challenges" 
    11371164         </li> 
     1165         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/195">http://tools.ietf.org/wg/httpbis/trac/ticket/195</a>&gt;: "auth-param syntax" 
     1166         </li> 
    11381167         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/257">http://tools.ietf.org/wg/httpbis/trac/ticket/257</a>&gt;: "Considerations for new authentications schemes" 
    11391168         </li> 
     
    11441173      </ul> 
    11451174      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1> 
    1146       <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a>  
     1175      <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.B">B</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a>  
    11471176      </p> 
    11481177      <div class="print2col"> 
    11491178         <ul class="ind"> 
    11501179            <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul> 
    1151                   <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li> 
    1152                   <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.14"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li> 
     1180                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.15"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li> 
     1181                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.16"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li> 
    11531182               </ul> 
    11541183            </li> 
     
    11571186                  <li><tt>auth-scheme</tt>&nbsp;&nbsp;<a href="#rfc.iref.a.1"><b>2.1</b></a></li> 
    11581187                  <li>Authorization header field&nbsp;&nbsp;<a href="#rfc.xref.header.authorization.1">2.1</a>, <a href="#rfc.xref.header.authorization.2">3.1</a>, <a href="#rfc.iref.a.3"><b>4.1</b></a>, <a href="#rfc.xref.header.authorization.3">5.3</a></li> 
     1188               </ul> 
     1189            </li> 
     1190            <li><a id="rfc.index.B" href="#rfc.index.B"><b>B</b></a><ul> 
     1191                  <li><tt>b64token</tt>&nbsp;&nbsp;<a href="#rfc.iref.b.1"><b>2.1</b></a></li> 
    11591192               </ul> 
    11601193            </li> 
     
    11691202                        <li><tt>auth-param</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.2"><b>2.1</b></a></li> 
    11701203                        <li><tt>auth-scheme</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.1"><b>2.1</b></a></li> 
    1171                         <li><tt>Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.6"><b>4.1</b></a></li> 
    1172                         <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.3"><b>2.1</b></a></li> 
    1173                         <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.4"><b>2.1</b></a></li> 
    1174                         <li><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.7"><b>4.2</b></a></li> 
    1175                         <li><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.8"><b>4.3</b></a></li> 
    1176                         <li><tt>realm</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.5"><b>2.2</b></a></li> 
    1177                         <li><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.9"><b>4.4</b></a></li> 
     1204                        <li><tt>Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.7"><b>4.1</b></a></li> 
     1205                        <li><tt>b64token</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.3"><b>2.1</b></a></li> 
     1206                        <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.4"><b>2.1</b></a></li> 
     1207                        <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.5"><b>2.1</b></a></li> 
     1208                        <li><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.8"><b>4.2</b></a></li> 
     1209                        <li><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.9"><b>4.3</b></a></li> 
     1210                        <li><tt>realm</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.6"><b>2.2</b></a></li> 
     1211                        <li><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.10"><b>4.4</b></a></li> 
    11781212                     </ul> 
    11791213                  </li> 
     
    12201254                  </li> 
    12211255                  <li><em>RFC3864</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3864.1">5.3</a>, <a href="#RFC3864"><b>8.2</b></a></li> 
     1256                  <li><em>RFC3986</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC3986.1">2.1</a>, <a href="#RFC3986"><b>8.2</b></a></li> 
     1257                  <li><em>RFC4648</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC4648.1">2.1</a>, <a href="#RFC4648"><b>8.2</b></a></li> 
    12221258                  <li><em>RFC5226</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC5226.1">2.3</a>, <a href="#RFC5226"><b>8.2</b></a><ul> 
    12231259                        <li><em>Section 4.1</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC5226.1">2.3</a></li> 
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1389 r1394  
    295295  <x:anchor-alias value="auth-scheme"/> 
    296296  <x:anchor-alias value="auth-param"/> 
     297  <x:anchor-alias value="b64token"/> 
    297298  <x:anchor-alias value="challenge"/> 
    298299  <x:anchor-alias value="credentials"/> 
     
    301302   that can be used by a server to challenge a client request and by a 
    302303   client to provide authentication information. It uses an extensible, 
    303    case-insensitive token to identify the authentication scheme, 
    304    followed by a comma-separated list of attribute-value pairs which 
    305    carry the parameters necessary for achieving authentication via that 
    306    scheme. 
    307 </t> 
    308 <figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/><iref primary="true" item="Grammar" subitem="auth-scheme"/><iref primary="true" item="Grammar" subitem="auth-param"/> 
     304   case-insensitive token to identify the authentication scheme, followed 
     305   by additional information necessary for achieving authentication via that 
     306   scheme. The latter can either be a comma-separated list of attribute-value 
     307   pairs or a single sequence of characters capable of holding base64-encoded 
     308   information. 
     309</t> 
     310<figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/><iref primary="true" item="Grammar" subitem="auth-scheme"/><iref primary="true" item="Grammar" subitem="auth-param"/><iref item="b64token" primary="true"/><iref primary="true" item="Grammar" subitem="b64token"/> 
    309311  auth-scheme    = <x:ref>token</x:ref> 
     312   
    310313  auth-param     = <x:ref>token</x:ref> <x:ref>BWS</x:ref> "=" <x:ref>BWS</x:ref> ( <x:ref>token</x:ref> / <x:ref>quoted-string</x:ref> ) 
     314 
     315  b64token       = 1*( <x:ref>ALPHA</x:ref> / <x:ref>DIGIT</x:ref> / 
     316                       "-" / "." / "_" / "~" / "+" / "/" ) *"="  
    311317</artwork></figure> 
     318<t> 
     319   The "b64token" syntax allows the 66 unreserved URI characters (<xref target="RFC3986"/>), 
     320   plus a few others, so that it can hold a base64, base64url (URL and filename 
     321   safe alphabet), base32, or base16 (hex) encoding, with or without padding, but 
     322   excluding whitespace (<xref target="RFC4648"/>).  
     323</t> 
    312324<t> 
    313325   The 401 (Unauthorized) response message is used by an origin server 
     
    323335</t> 
    324336<figure><artwork type="abnf2616"><iref item="challenge" primary="true"/><iref primary="true" item="Grammar" subitem="challenge"/> 
    325   <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> #<x:ref>auth-param</x:ref> 
     337  <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> [ 1*<x:ref>SP</x:ref> ( <x:ref>b64token</x:ref> / #<x:ref>auth-param</x:ref> ) ] 
    326338</artwork></figure> 
    327339<x:note> 
     
    361373</t> 
    362374<figure><artwork type="abnf2616"><iref item="credentials" primary="true"/><iref primary="true" item="Grammar" subitem="credentials"/> 
    363   <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> ( <x:ref>token</x:ref> 
    364                                  / <x:ref>quoted-string</x:ref> 
    365                                  / #<x:ref>auth-param</x:ref> ) 
     375  <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> [ 1*<x:ref>SP</x:ref> ( <x:ref>b64token</x:ref> / #<x:ref>auth-param</x:ref> ) ] 
    366376</artwork></figure> 
    367377<t> 
     
    470480      Spaces as defined in <xref target="protection.space"/>. New schemes 
    471481      &MUST-NOT; use it in a way incompatible with that definition. 
     482    </t> 
     483    </x:lt> 
     484    <x:lt> 
     485    <t> 
     486      The "b64token" notation was introduced for compatibility with existing 
     487      authentication schemes and can only be used once per challenge/credentials. 
     488      New schemes thus ought to use the "auth-param" syntax instead, because 
     489      otherwise future extensions will be impossible. 
    472490    </t> 
    473491    </x:lt> 
     
    10361054</reference> 
    10371055 
     1056<reference anchor="RFC3986"> 
     1057 <front> 
     1058  <title abbrev='URI Generic Syntax'>Uniform Resource Identifier (URI): Generic Syntax</title> 
     1059  <author initials='T.' surname='Berners-Lee' fullname='Tim Berners-Lee'> 
     1060    <organization abbrev="W3C/MIT">World Wide Web Consortium</organization> 
     1061    <address> 
     1062       <email>timbl@w3.org</email> 
     1063       <uri>http://www.w3.org/People/Berners-Lee/</uri> 
     1064    </address> 
     1065  </author> 
     1066  <author initials='R.' surname='Fielding' fullname='Roy T. Fielding'> 
     1067    <organization abbrev="Day Software">Day Software</organization> 
     1068    <address> 
     1069      <email>fielding@gbiv.com</email> 
     1070      <uri>http://roy.gbiv.com/</uri> 
     1071    </address> 
     1072  </author> 
     1073  <author initials='L.' surname='Masinter' fullname='Larry Masinter'> 
     1074    <organization abbrev="Adobe Systems">Adobe Systems Incorporated</organization> 
     1075    <address> 
     1076      <email>LMM@acm.org</email> 
     1077      <uri>http://larry.masinter.net/</uri> 
     1078    </address> 
     1079  </author> 
     1080  <date month='January' year='2005'></date> 
     1081 </front> 
     1082 <seriesInfo name="STD" value="66"/> 
     1083 <seriesInfo name="RFC" value="3986"/> 
     1084</reference> 
     1085 
     1086<reference anchor="RFC4648"> 
     1087  <front> 
     1088    <title>The Base16, Base32, and Base64 Data Encodings</title> 
     1089    <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> 
     1090    <date year="2006" month="October"/> 
     1091  </front> 
     1092  <seriesInfo value="4648" name="RFC"/> 
     1093</reference> 
     1094 
    10381095<reference anchor='RFC5226'> 
    10391096  <front> 
     
    10621119</t> 
    10631120<t> 
     1121  The "b64token" alternative to auth-param lists has been added for consistency 
     1122  with legacy authentication schemes such as "Basic". 
     1123  (<xref target="access.authentication.framework"/>) 
     1124</t> 
     1125<t> 
    10641126  Change ABNF productions for header fields to only define the field value. 
    10651127  (<xref target="header.fields"/>) 
     
    10871149<x:ref>auth-scheme</x:ref> = token 
    10881150 
    1089 <x:ref>challenge</x:ref> = auth-scheme 1*SP [ ( "," / auth-param ) *( OWS "," [ OWS 
    1090  auth-param ] ) ] 
    1091 <x:ref>credentials</x:ref> = auth-scheme 1*SP ( token / quoted-string / [ ( "," / 
    1092  auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 
     1151<x:ref>b64token</x:ref> = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 
     1152 *"=" 
     1153 
     1154<x:ref>challenge</x:ref> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) *( 
     1155 OWS "," [ OWS auth-param ] ) ] ) ] 
     1156<x:ref>credentials</x:ref> = auth-scheme [ 1*SP ( b64token / [ ( "," / auth-param ) 
     1157 *( OWS "," [ OWS auth-param ] ) ] ) ] 
    10931158 
    10941159<x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt; 
     
    13031368    </t> 
    13041369    <t> 
     1370      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/195"/>: 
     1371      "auth-param syntax" 
     1372    </t> 
     1373    <t> 
    13051374      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/257"/>: 
    13061375      "Considerations for new authentications schemes" 
Note: See TracChangeset for help on using the changeset viewer.