[OAUTH-WG] OAuth 2.1: Should auth-param in WWW-Authenticate be optional?
Johannes Koch <johannes.koch@avenga.com> Wed, 18 January 2023 16:44 UTC
Return-Path: <johannes.koch@avenga.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C0BC14CF1B for <oauth@ietfa.amsl.com>; Wed, 18 Jan 2023 08:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=avenga.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_aYBXMG8Guz for <oauth@ietfa.amsl.com>; Wed, 18 Jan 2023 08:44:05 -0800 (PST)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FC25C14F72D for <oauth@ietf.org>; Wed, 18 Jan 2023 08:44:04 -0800 (PST)
Received: by mail-ej1-x633.google.com with SMTP id ss4so77378972ejb.11 for <oauth@ietf.org>; Wed, 18 Jan 2023 08:44:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avenga.com; s=google; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=quOlWdEdsKt6z1VbvHxRwngFD2FVbKL9tvVbXoJdQ8o=; b=eF1pSZTdSqcjYF0qROA32ZL40s+08Wj0ELF9UtcAOJxSVBFLUUuY8KeTWisd39ItSw kTaDxADQFmyzJwKel/POH7a8GGlWFd2tzyPTZzciWxZd0C4qx42Wbya6EWTBDXaHhvZ7 HiZblqE1DsEZHUCRH+iUMIJVUwB5MKnwAAL0s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=quOlWdEdsKt6z1VbvHxRwngFD2FVbKL9tvVbXoJdQ8o=; b=3Z1C/KliNi1SkVBHM5FGYUtiAx3elH3+4eqvzVcHCt5COTBsGbw3C0eWi5iW/aLui8 aWOvifDAoxWCK3VgBPKjlNarE81qUEgrxZ0KjvAB2d0TLPJoRc0srYaL27IcoyarAT4d rNge6HjqgMLuGdAHJCGiYlCU4OV5gSqQaCYfGdwIxlQrsEaYm4Q/wpOEKYkpD6NsdSNu l9MlisX3Uu5znew4HZfSuAxr9r+y/e+1JTUrPtjazsoVJ+dcYXL4JFbypMJh5vPhcsdm Md067klLhS/ctZHEMAdJXcf57Py5noHwbGbExMLtufvbLiKnP7JgNDABx5/qfK8A4L88 SzeQ==
X-Gm-Message-State: AFqh2kpBM12IcmRRNpULKt+5121juZWelam96Gf2c/3We0nIkgK/klnG mz4rphduTP3UA8YT5OrksQyGCBo45qAV1d2YFQv2G9SfqWZseUqX
X-Google-Smtp-Source: AMrXdXv0ilzLXOqKp5UgQFrN9UhazdhAa+9lyyzYwhpfcnkF4a0eOr3TPdR1iVLnqD/rliEc65THo3z4V12p7R5CM5I=
X-Received: by 2002:a17:906:a28a:b0:7c0:ff76:7866 with SMTP id i10-20020a170906a28a00b007c0ff767866mr503806ejz.272.1674060242490; Wed, 18 Jan 2023 08:44:02 -0800 (PST)
MIME-Version: 1.0
From: Johannes Koch <johannes.koch@avenga.com>
Date: Wed, 18 Jan 2023 17:43:51 +0100
Message-ID: <CAGRquTqVaBvD3nMjy6_Zb0oo_RZRRuLqt1wFTRU2Tapa3D8srA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000162b9405f28c86ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-jPcPmfDtEwxmzN2c5OmbXOysg0>
Subject: [OAUTH-WG] OAuth 2.1: Should auth-param in WWW-Authenticate be optional?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2023 16:44:09 -0000
In https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07 section 5.2.3 (The WWW-Authenticate Response Header Field): All challenges for this token type MUST use the auth-scheme value Bearer. This scheme MUST be followed by one or more auth-param values. Why is at least one auth-param required? It makes WWW-Authenticate: Bearer in response to a request lacking any authentication information (thus without an error auth-param attribute) non-compliant. The optional scope attribute is not useful in this case. The optional realm attribute may not be necessary (e.g. if there is only one realm). So to be compliant, you would have to add a non-meaningful auth-param like foo=bar. Note: While in rfc2617 ( https://datatracker.ietf.org/doc/html/rfc2617#section-1.2) challenge was defined as challenge = auth-scheme 1*SP 1#auth-param (requiring at least one auth-param), rfc9110 ( https://www.rfc-editor.org/rfc/rfc9110#section-11.3) does not have this requirement: challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] -- Johannes Koch
- [OAUTH-WG] OAuth 2.1: Should auth-param in WWW-Au… Johannes Koch