Support the 'charset' auth-param in basic authentication

External Issue #11879594

Details

Author
Vittal A.
Created
May 3, 2017
Privacy
This issue is public.
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

At present, IE will respond to a basic HTTP authentication WWW-Authenticate request with an Authorization header containing the base64 encoded username and password. However, the character set for the username and password are assumed to use iso-8859-1. This can cause problems for usernames/passwords containing the ‘£’ sign. This can be represented as a single byte of \xa3 or as \xc2\xa3 (UTF-8). IE appears to send only a single byte, which causes problems if the server is storing the value as multi-byte.

https://tools.ietf.org/html/rfc7617#section-2.1 specifies that the server can send the “charset” parameter along with the WWW-Authenticate header. If given as UTF-8, then the client should encode the username and password as utf-8 before base64 encoding. This removes any ambiguity about the contents of the username and password while maintaining backward compatibility.

This is tracked for Firefox at https://bugzilla.mozilla.org/show_bug.cgi?id=41489

Chrome appears to always use UTF-8.

Attachments

0 attachments

    Comments and activity

    • Duplicate of #11879611

    • Microsoft Edge Team

      Changed Assigned To to “James M.”

      Changed Status to “External”

    • This bug has marked as duplicate. Please follow the parent issue to get new updates.

    You need to sign in to your Microsoft account to add a comment.

    Sign in