Ticket #342 (closed editorial: incorporated)
WWW-Authenticate ABNF slightly ambiguous
|Reported by:||firstname.lastname@example.org||Owned by:||email@example.com|
|Component:||p7-auth||Severity:||Active WG Document|
WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge ] ) challenge = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS auth-param ] )
Basic realm="foo", , Otherscheme realm="bar"
This can be parsed as either three challenges:
1: Basic realm="foo" 2: 3: Otherscheme realm="bar"
or as two challenges:
1: Basic realm="foo", 2: Otherscheme realm="bar"
...where the first challenge has a list of auth-params where the first one is the realm, and the second one is empty.
In practice, this doesn't affect the semantics of the header field, but it does affect parser construction. Documenting this may avoid confusion.