On 26. 6. 25 23:59, Branko Čibej wrote:
I've been looking at our authentication scheme implementations, and I
noticed that the Digest implementation doesn't appear to conform to
RFC 7616. Things like:
* Authorization header parameters values are always quoted, when 3.4
clearly says:
For historical reasons, a sender MUST only generate the quoted
string syntax for the following parameters: username, realm, nonce,
uri, response, cnonce, and opaque.
For historical reasons, a sender MUST NOT generate the quoted string
syntax for the following parameters: algorithm, qop, and nc.
* Usernames aren't properly encoded, e.g., a username that contains a
" would break the header.
And so on.
Since all the tests use hand-crafted requests and responses, they only
verify that the implementation does what we expect it to do, not that
it actually works in real life. Does anyone know if digest auth with
Serf is used anywhere, is there a standard way to test it? Comments in
the code say something about googlecode.com which is a) dead and b)
was probably never a representative implementation anyway.
I looked at the "other end", i.e., httpd's mod_auth_digest, and it only
supports about half of RFC 2617 and none of the new stuff in RFC 7616.
So, at least in that respect we're covered. However, I created
https://issues.apache.org/jira/browse/SERF-207 anyway, and have a patch
but I'd rather wait for the user-defined-authn branch to be merged.
-- Brane
