RFC 2617, "HTTP Authentication: Basic and Digest Access Authentication", June 1999Source of RFC: http (app)
Errata ID: 1959
Publication Format(s) : TEXT
Reported By: Julian Reschke
Date Reported: 2009-12-10
Verifier Name: Alexey Melnikov
Date Verified: 2009-12-27
Section 1.2 p4 says:
credentials = auth-scheme #auth-param
It should say:
credentials = auth-scheme ( token | quoted-string | #auth-param )
Alexey Melnikov (updated as per suggestion from Paul Leach):
auth-param doesn't allow for parameters with no '=', so Basic is non conformant to the generic syntax.
Multiple versions of token/quoted-string (with no attribute name) is not allowed, as none of the existing scheme not using auth-param supports that.
(Note that RFC 2617 is using BNF from RFC 2616, which allows for implied LWS.)