curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: curl doesn't handle multiple WWW-Authenticate challenges properly (Negotiate)

From: Mischa Salle via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 29 Jan 2020 10:32:51 +0100

Hi,

On Tue, Jan 28, 2020 at 10:29 PM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Tue, 28 Jan 2020, Mischa Salle wrote:
>
> > In short, it's primarily a documentation issue with the manpage of curl
> > itself, no longer a code issue.
>
> Thanks, I created a PR to fix it: https://github.com/curl/curl/pull/4862

thanks!

Just for completeness, I had a further look into the multiple
Authorization headers and this is indeed *not* allowed according to
the specs, neither as multiple Authorization headers, nor as a single
comma separated one: Following
https://tools.ietf.org/html/rfc7230#section-3.2.2 we are required to
bundle them into a single comma separated list (unless we consider it
a well known exception), and
https://tools.ietf.org/html/rfc7235#section-4.2 and
https://tools.ietf.org/html/rfc7235#section-2.1 shows that you cannot
combine them into such a list since credentials cannot have more than
one auth-scheme. This matches what one of the authors (Julian Reschke)
answered on stackoverflow (e.g. https://stackoverflow.com/a/29288935).

Best wishes,
Mischa
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-29

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]