I've been looking at our authentication scheme implementations, and I
noticed that the Digest implementation doesn't appear to conform to RFC
7616. Things like:
* Authorization header parameters values are always quoted, when 3.4
clearly says:
For historical reasons, a sender MUST only generate the quoted
string syntax for the following parameters: username, realm, nonce,
uri, response, cnonce, and opaque.
For historical reasons, a sender MUST NOT generate the quoted string
syntax for the following parameters: algorithm, qop, and nc.
* Usernames aren't properly encoded, e.g., a username that contains a
" would break the header.
And so on.
Since all the tests use hand-crafted requests and responses, they only
verify that the implementation does what we expect it to do, not that it
actually works in real life. Does anyone know if digest auth with Serf
is used anywhere, is there a standard way to test it? Comments in the
code say something about googlecode.com which is a) dead and b) was
probably never a representative implementation anyway.
Thoughts?
-- Brane
