RFC Errata
RFC 7804, "Salted Challenge Response HTTP Authentication Mechanism", March 2016
Source of RFC: httpauth (sec)
Errata ID: 6558
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Stephan Bosch
Date Reported: 2021-04-24
Section 5 says:
C: GET /resource HTTP/1.1 C: Host: server.example.com C: Authorization: SCRAM-SHA-256 sid=AAAABBBBCCCCDDDD, data=Yz1iaXdzLHI9ck9wck5HZndFYmVSV2diTkVrcU8laHZZRHBXVWEyUmFUQ 0FmdXhGSWxqKWhObEYscD1kSHpiWmFwV0lrNGpVaE4rVXRlOXl0YWc5empm TUhnc3FtbWl6N0FuZFZRPQo= C: [...] S: HTTP/1.1 200 Ok S: Authentication-Info: sid=AAAABBBBCCCCDDDD, data=dj02cnJpVFJCaTIzV3BSUi93dHVwK21NaFVaVW4vZEI1bkxUSlJzamw5N Uc0PQo= S: [...Other header fields and resource body...]
It should say:
C: GET /resource HTTP/1.1 C: Host: server.example.com C: Authorization: SCRAM-SHA-256 sid=AAAABBBBCCCCDDDD, data="Yz1iaXdzLHI9ck9wck5HZndFYmVSV2diTkVrcU8laHZZRHBXVWEyUmFUQ 0FmdXhGSWxqKWhObEYscD1kSHpiWmFwV0lrNGpVaE4rVXRlOXl0YWc5empm TUhnc3FtbWl6N0FuZFZRPQo=" C: [...] S: HTTP/1.1 200 Ok S: Authentication-Info: sid=AAAABBBBCCCCDDDD, data="dj02cnJpVFJCaTIzV3BSUi93dHVwK21NaFVaVW4vZEI1bkxUSlJzamw5N Uc0PQo=" S: [...Other header fields and resource body...]
Notes:
The "data" parameter values for the example client request and server response are not quoted, even though these values do not comply with the HTTP token syntax (these both contain a final '='). This means that these examples are in fact invalid.
Found at least one server that implemented their HTTP SCRAM mechanism based on this example, expecting the data parameter to be unquoted and producing it unquoted as well.