arturobernalg commented on PR #718:
URL:
https://github.com/apache/httpcomponents-client/pull/718#issuecomment-3263843962
> > > As far as I understood the SASL SCRAM mech it was always
connection-bound which always contracted the multistream nature of h2. How does
this reconcile? E.g., PHA or NTLM on h2 are completely not working.
>
> >
>
> > IMO we’re fine on h2 because this is HTTP SCRAM (RFC 7804) which is
per-request—no channel binding (GS2 “n,,” / c=biws)—so each stream carries its
own exchange. The connection-bound pain is NTLM/Negotiate/PHA; if we ever add
SCRAM-PLUS, it can bind via the TLS exporter shared by h2.
>
>
>
> So one round is enough to complete auth?
SCRAM needs two exchanges: client-first → 401 (server-first), then
client-final → 200 with Authentication-Info (v=).
For what I understood, if the server sends an empty announce first, it’s one
extra 401 (so 3 total); with preemptive client-first it’s 2.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
