search

w3c / webdriver-bidi

Bidirectional WebDriver protocol for browser automation
https://w3c.github.io/webdriver-bidi/
336 stars 35 forks source link

Include all challenge parameters in authChallenges #569

Open juliandescottes opened 9 months ago

juliandescottes commented 9 months ago

At the moment the authChallenge type only contains two properties: scheme and realm. However in some cases, multiple challenges can have the same realm & scheme, but support eg a different digest algorithm.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
    realm="http-auth@example.org",
    qop="auth, auth-int",
    algorithm=SHA-256,
    nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
    opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"
WWW-Authenticate: Digest
    realm="http-auth@example.org",
    qop="auth, auth-int",
    algorithm=MD5,
    nonce="7ypf/xlj9XXwfDPEoM4URrv/xwf94BcCAzFZH4GiTo0v",
    opaque="FQhe/qaU925kfnzjCev0ciny7QMkPqMAFRtzCUYo5tdS"

For the example above, we would create two identical auth challenges { realm: "http-auth@example.org", scheme: "Digest" }. If we include all the challenge parameters instead, we could make the difference between the two challenges.

Our initial design follows the AuthChallenge type in CDP. @sadym-chromium do you (or someone else) know if it was intentional to leave out other parameters?

thiagowfx commented 9 months ago

cc @OrKoN

OrKoN commented 9 months ago

It looks like CDP only provides a single AuthChallenge. @juliandescottes do you happen to have a test page for multiple challenges?

juliandescottes commented 9 months ago

It looks like CDP only provides a single AuthChallenge.

Do you mean in general, it only provides a single auth challenge even if the challenges are for different realms?

do you happen to have a test page for multiple challenges?

I don't have one at the moment, I was just basing this on the MDN examples for WWW-Authenticate and on the corresponding RFC.