michael-o commented on PR #718: URL: https://github.com/apache/httpcomponents-client/pull/718#issuecomment-3263853392
> > > > As far as I understood the SASL SCRAM mech it was always connection-bound which always contracted the multistream nature of h2. How does this reconcile? E.g., PHA or NTLM on h2 are completely not working. > > > > > > > > > > > > > > IMO we’re fine on h2 because this is HTTP SCRAM (RFC 7804) which is per-request—no channel binding (GS2 “n,,” / c=biws)—so each stream carries its own exchange. The connection-bound pain is NTLM/Negotiate/PHA; if we ever add SCRAM-PLUS, it can bind via the TLS exporter shared by h2. > > > > > > So one round is enough to complete auth? > > SCRAM needs two exchanges: client-first → 401 (server-first), then client-final → 200 with Authentication-Info (v=). For what I understood, if the server sends an empty announce first, it’s one extra 401 (so 3 total); with preemptive client-first it’s 2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
