HTTP basic authentication may violate spec

[jlabue-viewpoint]

When a token is requested using Basic as the authentication type, it is possible for no realm be indicated in the resulting HTTP response. This causes unpredictable behavior in applications that are attempting to process the response.

With Basic authentication, a realm value is required.

Found using Apache, but may occur on NGINX as well (did not verify)

[codespearhead]

This behavior indeed violates the specification.

Appendix A from rfc7235 says;

The "realm" parameter is no longer always required on challenges; consequently, the ABNF allows challenges without any auth parameters.

That specification, which updates rfc2617, is from June 2014.

Section 2 of rfc7617, which was released in September 2015 and supersedes rfc2617, says:

The 'Basic' Authentication Scheme
[...]
In challenges:
[...]
The authentication parameter 'realm' is REQUIRED.

[zandbelt]

this can be configured on the server level, independent of liboauth2 i.e. in Apache

AuthName <realm>

see: https://github.com/OpenIDC/liboauth2/blob/v1.6.3/src/server/apache.c#L378-L380

[jlabue-viewpoint]

I totally missed that. Thank you for the clarification!