Skip to content

Robustly parse quoted WWW-Authenticate parameters #1088

New issue
New issue
Open
Open
Robustly parse quoted WWW-Authenticate parameters#1088
Labels
bugSomething isn't working
@halter73

Description

@halter73
halter73
opened on Dec 12, 2025

Something like param="," can break our naive WWW-Authenticate parameter parsing logic in ClientOAuthProvider. While I don't expect many servers will be sending parameters like that in their responses, and it'd be very unusual for an attacker to have only partial control over a WWW-Authenticate response header value, it'd be best to properly account for things like commas inside of quoted strings or escaped quotes. \".

It's a bit like CSV with its quote handling trickiness.

See #1084 (comment) for more context.

https://gist.github.com/halter73/aca998c8855b4260b7ae2e705d85ec98 Includes a copilot conversation I had investigating if there was a built-in API we could leverage, and it appears not.

RFC 9110 contains the relevant specs for the WWW-Authenticate header and how to read a parameter.

https://www.rfc-editor.org/rfc/rfc9110#section-11.6.1
https://www.rfc-editor.org/rfc/rfc9110#parameter

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions