search

mdn / content

The content behind MDN Web Docs
https://developer.mozilla.org
Other
9.23k stars 22.5k forks source link

Incorrect WWW-Authenticate formats #36961

Open pilcrowonpaper opened 18 hours ago

pilcrowonpaper commented 18 hours ago

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

These formats do not confirm to RFC 9110:

WWW-Authenticate: <auth-scheme> realm=<realm> token68
WWW-Authenticate: <auth-scheme> realm=<realm> token68 auth-param1=auth-param1-token , ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> realm=<realm> auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> token68 auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token

What did you expect to see?

They should not be documented.

Do you have any supporting links, references, or citations?

Per RFC 9110 section 11.6.1, WWW-Authenticate header value is defined as:

WWW-Authenticate = 1#challenge

Where challenge is defined as (section 11.3):

challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

If I'm reading this correctly, there can only be either a single token68 or a list of auth-param, and not both.

Do you have anything more you want to share?

It may also be helpful to document cases where there are multiple challenges in a single header:

WWW-Authenticate: <auth-scheme1> auth-param1=token1, ..., auth-paramN=auth-paramN-token, <auth-scheme2> auth-param1=token1, ..., auth-paramN=auth-paramN-token
bsmth commented 15 hours ago

Thanks for reporting, I'm looking at these pages (HTTP headers in the [s-x] range) for general revisions and I've noted this needs addressing.