Issue #213 new

Authentication: challenge() should receive the original request

Denis Washington
created an issue

Currently, the challenge() method of an authentication handler receives no argument at all, but this is not sufficient for all kinds of authentication schemes. One might want to limit authorization to the requester's IP address, the requested resource or the HTTP method by embedding this information into the challenge's nonce, but this is not possible at the moment as challenge() doesn't know about the request it is generating a challenge for.

An example for an authentication where this would be useful is HTTP Digest Access Authentication. Its specification (RFC 2617) says the following in section 4.2.1, "Limited Use Nonce Values":

"[...] the server is free to construct the nonce such that it may only be used from a particular client, for a particular resource, for a limited period of time or number of uses, or any other restrictions. Doing so strengthens the protection provided against, for example, replay attacks [...]"

I myself would like to enforce similar restrictions in a custom public-key cryptography based authentication scheme.

Thus, it would be very nice if the request for which to create a challenge to be passed to the authentication handler's challenge() method. With some magic, this should be doable in a backwards-compatible way, such that the request is only passed if the method can take the additional argument.