Re: [Bug-wget] [PATCH] Change testenv/Test-auth-both.py from XFAIL to a normal test

[Darshit Shah]

Multiple challenges in a single header are allowed. I had to hack a
workaround in the Test suite explicitly to support this behaviour.

I quote RFC 2616, sec. 14.47

The WWW-Authenticate response-header field MUST be included in 401
(Unauthorized) response messages. The field value consists of at least one
challenge that indicates the authentication scheme(s) and parameters
applicable to the Request-URI.

WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge

The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access Authentication" [43]. User agents
are advised to take special care in parsing the WWW- Authenticate field
value as it might contain more than one challenge, or if more than one
WWW-Authenticate header field is provided, the contents of a challenge
itself can contain a comma-separated list of authentication parameters.

Also, do take a look at this mailing list thread:
http://lists.w3.org/Archives/Public/ietf-http-wg/2009OctDec/0295.html


Thanking You,
Darshit Shah
Sent from mobile device. Please excuse my brevity
On 22-Nov-2014 11:26 pm, "Tim Rühsen" <address@hidden> wrote:

> Am Samstag, 22. November 2014, 16:24:18 schrieb Darshit Shah:
> > Another reason why I never got around to implementing this feature is
> that
> > it is required by almost no one. The issue at hand is that when a Server
> > responds with two possible authentication methods, the client is expected
> > to choose the strongest one it knows. Instead Wget chooses the first one
> it
> > knows. This violates the RFC and hence I marked it up as a bug. I'll
> > probably add all this information into the test file in a while and push
> > it.
>
> I just implemented this feature in (selecting the strongest auth method).
>
> But the HTTP test server offers both (Digest,Basic) within a single WWW-
> Authenticate line. The ABNF in RFC2616 does not allow this:
>
> 3.2.1 The WWW-Authenticate Response Header
>
>    If a server receives a request for an access-protected object, and an
>    acceptable Authorization header is not sent, the server responds with
>    a "401 Unauthorized" status code, and a WWW-Authenticate header as
>    per the framework defined above, which for the digest scheme is
>    utilized as follows:
>
>       challenge        =  "Digest" digest-challenge
>
>       digest-challenge  = 1#( realm | [ domain ] | nonce |
>                           [ opaque ] |[ stale ] | [ algorithm ] |
>                           [ qop-options ] | [auth-param] )
>
>
>       domain            = "domain" "=" <"> URI ( 1*SP URI ) <">
>       URI               = absoluteURI | abs_path
>       nonce             = "nonce" "=" nonce-value
>       nonce-value       = quoted-string
>       opaque            = "opaque" "=" quoted-string
>       stale             = "stale" "=" ( "true" | "false" )
>       algorithm         = "algorithm" "=" ( "MD5" | "MD5-sess" |
>                            token )
>       qop-options       = "qop" "=" <"> 1#qop-value <">
>       qop-value         = "auth" | "auth-int" | token
>
>
> I knowledge is, that the server has to send two lines of WWW-Authenticate
> to
> offer two authentication methods. Maybe I am wrong, but I would like to
> know
> from where you got further information. Or is it just a mistake ?
>
> Example from Test HTTP server:
> WWW-Authenticate: BasIc realm="Wget-Test", DIgest realm="Test",
> nonce="f07e391eb19dfb441f191f5de7ba687f",
> opaque="548c574974e749c0cfae06302b9e559b", qop="auth"
>
> Don't start to fix the test server, I have it fixed and just await your
> answer.
>
> Tim
>