Opened 6 years ago

Last modified 18 months ago

#485 new enhancement

Multiple WWW-Authenticate headers

Reported by: faskiri.devel@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.5.x
Keywords: response header handling Cc:
uname -a: Linux fasih-thinks 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.5.1 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) configure arguments: --prefix=/home/faskiri/usr --with-debug

Description

RFC allows a server to respond with multiple WWW-Authenticate header (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47).

"User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."

However nginx defines WWW-Authenticate header as an ngx_table_elt_t in the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other allowed repeated value headers.

I am using nginx as a reverse proxy. The upstream sends two WWW-Authenticate headers with different realms. I was processing the www_authenticate header field and hadnt realized that it was legal to send multiple WWW-Authenticate headers.

One e.g. for a valid real-world use:

http://stackoverflow.com/a/15894841/1597813

Attachments (1)

patch.485.diff (6.7 KB) - added by www.google.com/accounts/o8/id?id=AItOawkRQ1diZPZj5_CjPIAISLlaz9bDANNpfnw 5 years ago.

Download all attachments as: .zip

Change History (7)

Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawkRQ1diZPZj5_CjPIAISLlaz9bDANNpfnw

comment:1 Changed 5 years ago by www.google.com/accounts/o8/id?id=AItOawkRQ1diZPZj5_CjPIAISLlaz9bDANNpfnw

This is my very first contribution, please do not be too severe. so I ve updated the ngx_http_request_t struct and updated module consumers as well. I have tested with mdounin unit tests and it looks ok.

comment:2 Changed 5 years ago by mdounin

Please see this thread and this message in particular. As suggested, just changing WWW-Authenticate to array_t looks wrong.

Note well that the patch suggested doesn't allow to intercept 401 errors from upstream with multiple WWW-Authenticate headers. And this looks like the only practical problem with multiple WWW-Authenticate headers.

Please also see http://nginx.org/en/docs/contributing_changes.html.

comment:3 Changed 3 years ago by mdounin

  • Type changed from defect to enhancement

comment:4 Changed 3 years ago by gerrieg@…

Are there any plans to support multiple WWW-Authenticate headers soon?

In our company we want to switch the IIS servers to NGINX, we are using the auth_request_module and we developed a authentication server that sends a Negotiate and a Basic WWW-Authenticate header. But only the first one arrives at the client.
We tried to send the two challenges in one header, but the clients do not understand this.

Now we are blocked, so any chance to implement this?

comment:5 Changed 20 months ago by kipras@…

We've hit this issue as well. Just wondering if this is this planned to be implemented sometime ?

comment:6 Changed 18 months ago by DenverJ@…

We have also hit this issue with the auth_request module trying to use an intranet authentication server that sends multiple WWW-Authenticate headers. A real blocker!

Note: See TracTickets for help on using tickets.