[OAUTH-WG] OAuth2.1: auth-param in WWW-Authenticate optional?
Johannes Koch <johannes.koch@avenga.com> Wed, 30 March 2022 12:21 UTC
Return-Path: <johannes.koch@avenga.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 481893A1220 for <oauth@ietfa.amsl.com>; Wed, 30 Mar 2022 05:21:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=avenga.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pyCKigP34FkA for <oauth@ietfa.amsl.com>; Wed, 30 Mar 2022 05:21:04 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C7973A1214 for <oauth@ietf.org>; Wed, 30 Mar 2022 05:21:02 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id c62so24188727edf.5 for <oauth@ietf.org>; Wed, 30 Mar 2022 05:21:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avenga.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=Re+XcMXHZdRiJ3l4C72NEvm9VkIIi4yoyZM3iLjS9ic=; b=emUCmOgmIRZeAILugIKgKD10881EK6CWT5VBkno/XUGDJwl7W4lK8nIpVsfGXB5C6d F8Ae6ClXQTgaPjPIW1t9QCAPwFts3kLCv1/og5arcAxbtdJuBhaRQPs9PgIlnrQi4KLk lAEDfOKcr2Cco3cEfFC+yr98iUxg1U2lexb+w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Re+XcMXHZdRiJ3l4C72NEvm9VkIIi4yoyZM3iLjS9ic=; b=LWhb1ywK4ahnyMo3hU7yGe7XjdhQ2YGHawzJPTpdM+AZqpDxbqxq6aPp0o+JjeVdlB 0p28T4UtA8GYNZ8IfQEHA16QCmNDxgj+QgtmxUquJW4uwid1u0nw0HbG9HkcKrcXVLl6 WYZRr/DQ9pW6clrHK1bjEh9gr6k/2sZVNOlb5uitWdSAJD/ojlOtRlfoO9j90jiimI7t m+/xP8S4p2qLo+hGQ2LdgUlnvFbA/q/FTlOai+MInvkVS0iivK5uZfRv0ucddqmH86dQ AXQHT8DBLvC9Pw9ieCwZs/l8+3WV4aOlDi+dw1bqTKeLn5u35SjsRx7Mjm1AdTKNYDy+ jJfg==
X-Gm-Message-State: AOAM533x7UkuqWhAcTHSQH8xYXquXSI9ogiAcrBWNuX3ymkBM4ZdFRxR hrCu+AjXZB39Sw6MULKFonB0HP/MJpkGPw1JHco7owuzn8g3WA==
X-Google-Smtp-Source: ABdhPJx53V8ZOtvZlptGuhLflpFKBnfLsrhLv0V6cs6SAXyzoxyCL4oOt9cRLxlMV7CWuxF0B+97kA2aCQdLZ97inLk=
X-Received: by 2002:a05:6402:1941:b0:413:2822:9c8 with SMTP id f1-20020a056402194100b00413282209c8mr10274657edz.13.1648642860316; Wed, 30 Mar 2022 05:21:00 -0700 (PDT)
MIME-Version: 1.0
From: Johannes Koch <johannes.koch@avenga.com>
Date: Wed, 30 Mar 2022 14:20:49 +0200
Message-ID: <CAGRquTrV15SqwWMT-FP0nmB4hyO7ANeqhqQG5asXwCHdUAKmAg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000d112a05db6e9451"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/me7_h5Y5cJXdvauhmMVwKC5KnSQ>
Subject: [OAUTH-WG] OAuth2.1: auth-param in WWW-Authenticate optional?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 12:21:10 -0000
Hi, in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05 section 5.2.2: All challenges for this token type MUST use the auth-scheme value Bearer. This scheme MUST be followed by one or more auth-param values. Why is at least one auth-param required? It makes WWW-Authenticate: Bearer in response to a request lacking any authentication information (thus not containing an error auth-param attribute) non-compliant. The optional scope attribute is not useful in this case. The optional realm attribute may not be necessary (e.g. if there is only one realm). So to be compliant, you would have to add a non-meaningful auth-param like foo=bar. Note: While in rfc2617 challenge was defined as challenge = auth-scheme 1*SP 1#auth-param (requiring at least one auth-param), rfc7235 does not have this requirement: challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] -- Johannes Koch
- [OAUTH-WG] OAuth2.1: auth-param in WWW-Authentica… Johannes Koch