HTTP WWW-Authenticate - add scheme and algorithm info

[hamishwillee]

WWW-Authenticate and Authorization together are the HTTP headers used in the general HTTP authentication framework. Note, compatibility for these should mirror each other.

Thing is, this is a framework, not a specific implementation. So saying that Firefox or whatever supports this in version X tells you very little. The useful compatibility information is

• which authentication methods are supported - basic, digest, kerberos etc.
• within some authentication methods, which algorithms are supported.

What I have done here is a draft that attempts to start adding that information. I really don't want to go all the way with this, but I'd like to at least cover the methods supported by Firefox and Chrome, down to algorithm level. Right now this just starts the job for Firefox, since there is not much point me chasing this too far if BCD team disagree with this approach.

What I know.

• Firefox supports: basic, digest (on all platforms), and ntlm and negotiate (kerberos) depending on whether OS support is available (from here)
  • Firefox supports digest authentication with MD5 and SHA256 (from FF93). Not SHA 512.
  • Basic doesn't use any algorithms.
  • I whether NTLM/negotiate use algorithms that require separate support statements.
• Chrome supports the same set, but it isn't clear what algorithms: https://www.chromium.org/developers/design-documents/http-authentication , and no OS restrictions other than Chrome OS are noted.
  • Chrome does NOT support SHA256 as of Sept 29 https://bugs.chromium.org/p/chromium/issues/detail?id=1160478 - nothing supports SHA512.
• In addition to those schemes above there are more listed here - including HOBA, Mutual, Bearer, AWS4-HMAC-SHA256. I propose not to add info about support for those until yet, but people could add that if they knew something was supported.
• Safari itself has no clear statement about what it supports but there is enough info to be sure it does for Basic authentication: https://developer.apple.com/forums/thread/96293 - albeit poorly. No clear info on digest support. If someone had a mac you could test maybe using a method from here https://httpbin.org/#/Auth

Questions

• Is this approach acceptable? Should I keep going?
• The specs are giving me errors. How can I fix this?
• Authorization should mirror this. OK to just copy this when we're done? - EDITED. Yes.

Fixes #12370. Actually, it's a draft to help test whether the approach is reasonable.

[hamishwillee]

@ddbeck If you could push this to someone for review that would be great.

[ddbeck]

• Is this approach acceptable? Should I keep going?

Yeah, this makes sense. A couple things to keep in mind: partial_implementation will probably apply to OS-specific limitations (e.g., some auth supported on Windows but not macOS or what have you). Notes will be needed.

One additional question at the end here, however.

• The specs are giving me errors. How can I fix this?

The immediate cause of the failures is that URLs are missing fragments, for deep linking to the relevant portion of the spec.

That said, we typically use the https://datatrack.ietf.org/ URLs. And I didn't check whether the linked specs would validate. Also, the URL will need to be in w3c/browser-specs (there's a separate test for that at the end, after you've cleared the schema validation).

• Authorization should mirror this. OK to just copy this when we're done?

I'm not decided on this yet, but why both? On initial reading, I was thinking, should this be on Authorization only, as that's the request header? I'm not sure what browsers are obligated to do with WWW-Authenticate responses. It might be easier to overlook these features on WWW-Authenticate and centralize what we know about browser behavior on Authorization. (That said, you're way ahead of me on how this stuff works, so if you say it's relevant to both, I'll defer to that.)

[ddbeck]

Just making a note here that in a recent call, Hamish and I decided to include both WWW-Auth and Auth data, then deduplicate later if needed.

[hamishwillee]

Thanks! Yes, you also said I could use null as needed for now because this is HTTP. It is on my list but not a priority.

[hamishwillee]

@ddbeck Before I mirror the results I wanted to make sure that the WWW-Authenticate information will get accepted. There are two parts to that - data and specs.

Re the data, this is pretty "loose" because it is hard for me to verify. We kind of agreed this was OK.
Since you looked at this last, I have modified the data:

• Safari is now marked as true for supported, and true for basic - essentially there is enough evidence it supports basic authentication. It is still null for everything else because I can't verify either way.
• Chrome supports MD5 digest so marked true for all variants. I was able to verify not SHA256 as of sept 29. Assuming not SHA512 as well :-) so marked those as false.
• Negotiate and NTLM appear to be supported too according to Chrome docs, so marked them true as well.

Is the above good enough submission of the data?

Re the specs, I'm getting errors.
The fix is just a PR to https://github.com/w3c/browser-specs/blob/main/specs.json right? Does it matter which I use? For example I RFC4559 is usually referenced as https://www.ietf.org/rfc/rfc4559.txt but you could use https://www.rfc-editor.org/rfc/rfc4559.html#section-1

[ddbeck]

Is the above good enough submission of the data?

Yes, but in the case of Chrome, please link to any other docs materials you're relying on here in the PR.

For the IETF specs, use the rfc-editor URLs, for consistency with what's in the browser-specs repo already.

[hamishwillee]

Thanks. I'll update the specs on Friday. W.r.t. chrome supporting data,

• this is what I used for "what they support: https://www.chromium.org/developers/design-documents/http-authentication
• This is what I used to determine they do not support SHA256 yet: https://bugs.chromium.org/p/chromium/issues/detail?id=1160478

I know they support MD5 because if you support digest at all before now that is what you supported. I believe they don't support SHA512 because they'd not implement 256 if they already had 512.

[hamishwillee]

@ddbeck OK, Status updated 9 Nov.

• Add RFC4120, 7616, 7617: Various Authentication protocols w3c/browser-specs#420 adds specs for the https://www.rfc-editor.org/ cases. These have merged but are reporting errors. Not sure when those become accessible to bcd.
• NTLM over HTTP spec w3c/browser-specs#421 for the Microsoft spec for NTLM authentication was rejected. I have created a spec exception for review in add exception for NTLM spec (microsoft) #13383

If that goes through I'll duplicate for the other header.

[hamishwillee]

@ddbeck Happy days. NTLM spec removed and I have mirrored the WWW-authenticate to the Authorization header (changing the main spec url only).

Should be good to merge.
After that, I'll update https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization to use the spec_url.

[ddbeck]

Thank you! 🎉