HTTPSignatureAuth.verify does not parse Authentication header correctly

Question

Diggsey opened this issue 5 years ago · comments

Currently, it just splits on commas. However, I believe commas are allowed in eg. the keyId parameter if the value is enclosed in quotes.

Example:

Authentication: keyId="test,key",signature="...",algorithm="..."

Andrey Kislyuk · Answer 1 · Sat Apr 25 2020 22:49:44 GMT+0800 (China Standard Time)

No, keyId should not contain commas. There is an in-progress work item on this in the draft spec (https://tools.ietf.org/html/draft-richanna-http-message-signatures-00#appendix-B.1.13).