[asterisk-dev] [Code Review] SIP authentication support

Mark Michelson mmichelson at digium.com
Mon Feb 11 16:49:20 CST 2013

On 02/11/2013 04:09 PM, Olle E. Johansson wrote:
> 11 feb 2013 kl. 22:08 skrev "Mark Michelson" <reviewboard at asterisk.org 
> <mailto:reviewboard at asterisk.org>>:
>> This means that Asterisk may send multiple WWW-Authenticate headers out in an authentication challenge and can cope with multiple Authorization headers in requests.
> Hi!
> A small clarification:
> An endpoint that wants to authenticate a request should only send ONE 
> www-authenticate in one response.
> It can receive multiple proxy-authenticate and ONE www-authenticate in 
> a response, and thus needs to send multiple proxyauth and one www auth 
> in a request.
> Now, if we have multiple auth methods as a server, like md5 and SHA256 
> I don't know what to do really... This needs to be investigated.
> Cheers
> /O

RFC 2617 mentions the possibility to send multiple WWW-Authenticate 
headers in an HTTP 401 response. It specifically mentions the case where 
multiple authentication schemes are offered (see section 4.6).

Looking through RFC 3261, I can't see anything that explicitly prohibits 
more than one WWW-Authenticate header being sent. Looking in section 
22.3 (which is about proxy to user authentication), it says the following:

"When resubmitting its request in response to a 401 (Unauthorized) or 
407 (Proxy Authentication Required) that contains multiple challenges, a 
UAC MAY include an Authorization value for each WWW- Authenticate value 
and a Proxy-Authorization value for each Proxy- Authenticate value for 
which the UAC wishes to supply a credential. As noted above, multiple 
credentials in a request SHOULD be differentiated by the "realm" parameter.

It is possible for multiple challenges associated with the same realm to 
appear in the same 401 (Unauthorized) or 407 (Proxy Authentication 
Required). This can occur, for example, when multiple proxies within the 
same administrative domain, which use a common realm, are reached by a 
forking request. When it retries a request, a UAC MAY therefore supply 
multiple credentials in Authorization or Proxy-Authorization header 
fields with the same "realm" parameter value. The same credentials 
SHOULD be used for the same realm."

It mentions an example of multiple proxies being reached by a forking 
request, but it does not necessarily mean that that is the only reason 
multiple challenges may be present in a response. And in the previous 
paragraph, the mention of "for each WWW-Authenticate value" means that 
there can be more than one present.

Is there a newer RFC that obsoletes or clarifies what RFC 3261 says 
here? Or have I misinterpreted things in some way?

Mark Michelson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130211/bd28a70e/attachment.htm>

More information about the asterisk-dev mailing list