Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect WWW-Authenticate formats #36961

Open
pilcrowonpaper opened this issue Nov 25, 2024 · 1 comment
Open

Incorrect WWW-Authenticate formats #36961

pilcrowonpaper opened this issue Nov 25, 2024 · 1 comment
Assignees
@bsmth
Labels
Content:HTTP HTTP docs

Comments

@pilcrowonpaper
Copy link

pilcrowonpaper commented Nov 25, 2024
edited
Loading

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

These formats do not conform to RFC 9110:

WWW-Authenticate: <auth-scheme> realm=<realm> token68
WWW-Authenticate: <auth-scheme> realm=<realm> token68 auth-param1=auth-param1-token , ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> realm=<realm> auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> token68 auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token

What did you expect to see?

They should not be documented.

Do you have any supporting links, references, or citations?

Per RFC 9110 section 11.6.1, WWW-Authenticate header value is defined as:

WWW-Authenticate = 1#challenge

Where challenge is defined as (section 11.3):

challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

If I'm reading this correctly, there can only be either a single token68 or a list of auth-param, and not both.

Do you have anything more you want to share?

It may also be helpful to document cases where there are multiple challenges in a single header:

WWW-Authenticate: <auth-scheme1> auth-param1=token1, ..., auth-paramN=auth-paramN-token, <auth-scheme2> auth-param1=token1, ..., auth-paramN=auth-paramN-token
@pilcrowonpaper pilcrowonpaper added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Nov 25, 2024
@github-actions github-actions bot added the Content:HTTP HTTP docs label Nov 25, 2024
@bsmth bsmth self-assigned this Nov 25, 2024
@bsmth
Copy link
Member

bsmth commented Nov 25, 2024

Thanks for reporting, I'm looking at these pages (HTTP headers in the [s-x] range) for general revisions and I've noted this needs addressing.

@bsmth bsmth removed the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bsmth bsmth

Labels
Content:HTTP HTTP docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bsmth @pilcrowonpaper