Opened 9 years ago
Closed 12 months ago
#485 closed enhancement (fixed)
Multiple WWW-Authenticate headers
|Reported by:||Fasih||Owned by:|
|Keywords:||response header handling||Cc:|
|uname -a:||Linux fasih-thinks 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux|
nginx version: nginx/1.5.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --prefix=/home/faskiri/usr --with-debug
RFC allows a server to respond with multiple WWW-Authenticate header (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).
"User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."
However nginx defines WWW-Authenticate header as an ngx_table_elt_t in the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other allowed repeated value headers.
I am using nginx as a reverse proxy. The upstream sends two WWW-Authenticate headers with different realms. I was processing the www_authenticate header field and hadnt realized that it was legal to send multiple WWW-Authenticate headers.
One e.g. for a valid real-world use:
Change History (11)
by , 9 years ago
comment:1 by , 9 years ago
comment:2 by , 9 years ago
Please see this thread and this message in particular. As suggested, just changing WWW-Authenticate to array_t looks wrong.
Note well that the patch suggested doesn't allow to intercept 401 errors from upstream with multiple WWW-Authenticate headers. And this looks like the only practical problem with multiple WWW-Authenticate headers.
Please also see http://nginx.org/en/docs/contributing_changes.html.
comment:3 by , 7 years ago
|Type:||defect → enhancement|
comment:4 by , 6 years ago
Are there any plans to support multiple WWW-Authenticate headers soon?
In our company we want to switch the IIS servers to NGINX, we are using the auth_request_module and we developed a authentication server that sends a Negotiate and a Basic WWW-Authenticate header. But only the first one arrives at the client.
We tried to send the two challenges in one header, but the clients do not understand this.
Now we are blocked, so any chance to implement this?
comment:5 by , 5 years ago
We've hit this issue as well. Just wondering if this is this planned to be implemented sometime ?
comment:6 by , 5 years ago
We have also hit this issue with the auth_request module trying to use an intranet authentication server that sends multiple WWW-Authenticate headers. A real blocker!
comment:10 by , 12 months ago
|Status:||new → closed|
Fixed, thanks to all involved.
Note that 3rd party authentication modules have to be modified to be compatible with the new approach of handling multiple WWW-Authenticate headers.
This is my very first contribution, please do not be too severe. so I ve updated the ngx_http_request_t struct and updated module consumers as well. I have tested with mdounin unit tests and it looks ok.