<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/11/2013 04:09 PM, Olle E.
Johansson wrote:<br>
</div>
<blockquote
cite="mid:095CFFBE-20CE-4568-8B47-42F6C8F29793@edvina.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div>
<div>11 feb 2013 kl. 22:08 skrev "Mark Michelson" <<a
moz-do-not-send="true"
href="mailto:reviewboard@asterisk.org">reviewboard@asterisk.org</a>>:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<pre style="font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); margin: 0px; padding: 0px; white-space: pre-wrap; word-wrap: break-word; ">This means that Asterisk may send multiple WWW-Authenticate headers out in an authentication challenge and can cope with multiple Authorization headers in requests.</pre>
</blockquote>
</div>
Hi!
<div>A small clarification:</div>
<div><br>
<div>An endpoint that wants to authenticate a request should
only send ONE www-authenticate in one response.</div>
<div><br>
</div>
<div>It can receive multiple proxy-authenticate and ONE
www-authenticate in a response, and thus needs to send
multiple proxyauth and one www auth in a request.</div>
<div><br>
</div>
<div>Now, if we have multiple auth methods as a server, like md5
and SHA256 I don't know what to do really... This needs to be
investigated.</div>
<div><br>
</div>
<div>Cheers</div>
<div>/O</div>
</div>
<br>
</blockquote>
<br>
<tt>RFC 2617 mentions the possibility to send multiple
WWW-Authenticate headers in an HTTP 401 response. It specifically
mentions the case where multiple authentication schemes are
offered (see section 4.6).<br>
<br>
Looking through RFC 3261, I can't see anything that explicitly
prohibits more than one WWW-Authenticate header being sent.
Looking in section 22.3 (which is about proxy to user
authentication), it says the following:<br>
</tt><br>
<tt>"When resubmitting its request in response to a 401
(Unauthorized) or 407 (Proxy Authentication Required) that
contains multiple challenges, a UAC MAY include an Authorization
value for each WWW- Authenticate value and a Proxy-Authorization
value for each Proxy- Authenticate value for which the UAC wishes
to supply a credential. As noted above, multiple credentials in a
request SHOULD be differentiated by the "realm" parameter.<br>
<br>
</tt><tt>It is possible for multiple challenges associated with the
same realm to appear in the same 401 (Unauthorized) or 407 (Proxy
Authentication Required). This can occur, for example, when
multiple proxies within the same administrative domain, which use
a common realm, are reached by a forking request. When it retries
a request, a UAC MAY therefore supply multiple credentials in
Authorization or Proxy-Authorization header fields with the same
"realm" parameter value. The same credentials SHOULD be used for
the same realm."<br>
<br>
It mentions an example of multiple proxies being reached by a
forking request, but it does not necessarily mean that that is the
only reason multiple challenges may be present in a response. And
in the previous paragraph, the mention of "for each
WWW-Authenticate value" means that there can be more than one
present.<br>
<br>
Is there a newer RFC that obsoletes or clarifies what RFC 3261
says here? Or have I misinterpreted things in some way?<br>
<br>
Mark Michelson<br>
</tt>
</body>
</html>