Test Cases for the HTTP WWW-Authenticate header field

Unless stated otherwise, all tests were executed with the latest release versions of Firefox and Google Chrome (for all Chromium-based UAs, including Microsoft Edge) on a machine running Windows 10. Konqueror was tested on OpenSuse 11.4. Safari tests date back to the time when it was available on Windows (test results from that other platform appreciated).

Test Result Summary

Score -- Passes: 2 points, Warning: 1 point, in percent of possible points (this should be updated to count optional features differently)

Test Cases

Test Case	Firefox 88	Firefox 90 (2021-05-27)	Safari 5.1	Konqueror 4.8.4	Google Chrome 90
Summary	Score: 66	Score: 50	Score: 72	Score: 75	Score: 47
Basic	simplebasic	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasiclf	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasicucase	pass	warn (does not display the realm name)	pass	fail (misses the realm parameter)	warn (does not display the realm name)
simplebasictok	warn (accepts the unquoted form)	warn (accepts the syntax, but then does not display the realm)	warn (accepts the unquoted form)	warn (accepts the unquoted form)	warn (accepts the syntax, but then does not display the realm)
simplebasictokbs	warn (accepts the unquoted form)	warn (accepts the syntax, but then does not display the realm)	pass (ignores the challenge)	warn (accepts the unquoted form)	warn (accepts the syntax, but then does not display the realm)
simplebasicsq	warn (detects realm `'foo'`)	warn (accepts the syntax, but then does not display the realm)	warn (detects realm `'foo'`)	warn (detects realm `'foo'`)	warn (accepts the syntax, but then does not display the realm)
simplebasicpct	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasiccomma	pass	pass	pass	pass
simplebasiccomma2	pass (ignores the header field)	warn (accepts the header field)	pass (ignores the header field)	pass (ignores the header field)
simplebasicnorealm	warn (accepts the realm-less form)	warn (accepts the realm-less form, derives the presented value from the host name)	warn (accepts the realm-less form, derives the presented value from the host name)	warn (accepts the realm-less form)
simplebasic2realms	warn (takes the first realm)	warn (accepts the syntax, but does not display a realm)	warn (takes the second realm)	warn (takes the first realm)	warn (accepts the syntax, but does not display a realm)
simplebasicwsrealm	fail	warn (does not display the realm name)	pass	fail	warn (does not display the realm name)
simplebasicrealmsqc	pass	warn (does not display the realm name)	fail (fails to unescape, thus sees the realm `\f\o\o`)	pass	warn (does not display the realm name)
simplebasicrealmsqc2	pass	warn (does not display the realm name)	fail (fails to unescape, thus sees the realm `"\foo\"`)	pass	warn (does not display the realm name)
simplebasicnewparam1	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasicnewparam2	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasicrealmiso88591	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
simplebasicrealmutf8	pass (displayed as the two raw characters `ä`)	warn (does not display the realm name)	pass (displayed as the two raw characters `ä`)	pass (displayed as the two raw characters `ä`)	warn (does not display the realm name)
simplebasicrealmrfc2047	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
Multiple Challenges	multibasicunknown	pass	warn (does not display the realm name)	pass	pass	warn (does not display the realm name)
multibasicunknownnoparam	pass	warn (does not display the realm name)			fail (doesn't see the Basic challenge (see Chrome Issue 103220))
multibasicunknown2	fail (doesn't see the Basic challenge (see Mozilla Bug 669675))	pass	pass	fail (doesn't see the Basic challenge (see Chrome Issue 103220))
multibasicunknown2np	fail (doesn't see the Basic challenge)			fail (doesn't see the Basic challenge (see Chrome Issue 103220))
multibasicunknown2mf	pass	pass	pass	warn (does not display the realm name)
multibasicempty	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))	fail (doesn't see the Basic challenge)	pass	fail (doesn't see the Basic challenge)
multibasicqs	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))	pass	pass	fail (doesn't see the Basic challenge)
multidisgscheme	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))	pass	pass	fail (doesn't see the Basic challenge)
Unknown Schemes	unknown	pass (Page is displayed, no prompt)	pass (Page is displayed, no prompt)	pass (Page is displayed, no prompt)	pass (Page is displayed, no prompt)
parametersnotrequired	pass (Page is displayed, no prompt)			pass (Page is displayed, no prompt)
Parsing quirks	disguisedrealm	fail (detects realm `nottherealm",`)	warn (detects Basic challenge with no realm)	pass	pass	warn (detects Basic challenge with no realm)
disguisedrealm2	fail (detects realm `nottherealm`)	warn (detects Basic challenge with no realm)	pass	pass	warn (detects Basic challenge with no realm)
missingquote	warn (detects realm `basic`)	warn (detects Basic challenge with no realm)	warn (detects realm `basic`)	warn (detects Basic challenge with no realm)	warn (detects Basic challenge with no realm)

Basic

Various tests checking Basic auth.

simplebasic [TEST] [R]

WWW-Authenticate: Basic realm="foo"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasiclf [TEST] [R]

WWW-Authenticate: Basic
 realm="foo"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, with (deprecated) line folding

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasicucase [TEST] [R]

WWW-Authenticate: BASIC REALM="foo"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	fail (misses the realm parameter)
Chr90	warn (does not display the realm name)

simple Basic auth (using uppercase characters)

Extracted raw data:

scheme name	parameter name	parameter value
BASIC	REALM	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasictok [TEST] [R]

WWW-Authenticate: Basic realm=foo

Test Results
FF88	warn (accepts the unquoted form)
FF90	warn (accepts the syntax, but then does not display the realm)
Safari	warn (accepts the unquoted form)
Konq	warn (accepts the unquoted form)
Chr90	warn (accepts the syntax, but then does not display the realm)

simple Basic auth, using token format for realm (but see Section 2.2 of RFC 7235)

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	foo

Invalid syntax: parameter 'realm' is defined to only use 'quoted-string' syntax.

simplebasictokbs [TEST] [R]

WWW-Authenticate: Basic realm=\f\o\o

                        ^ (PARSE ERROR)

Test Results
FF88	warn (accepts the unquoted form)
FF90	warn (accepts the syntax, but then does not display the realm)
Safari	pass (ignores the challenge)
Konq	warn (accepts the unquoted form)
Chr90	warn (accepts the syntax, but then does not display the realm)

simple Basic auth, using token format for realm (but see Section 2.2 of RFC 7235), including backslashes

simplebasicsq [TEST] [R]

WWW-Authenticate: Basic realm='foo'

Test Results
FF88	warn (detects realm `'foo'`)
FF90	warn (accepts the syntax, but then does not display the realm)
Safari	warn (detects realm `'foo'`)
Konq	warn (detects realm `'foo'`)
Chr90	warn (accepts the syntax, but then does not display the realm)

simple Basic auth, using single quotes (these are allowed in a token, but should not be treated as quote characters)

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	'foo'

Invalid syntax: parameter 'realm' is defined to only use 'quoted-string' syntax.

simplebasicpct [TEST] [R]

WWW-Authenticate: Basic realm="foo%20bar"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, containing a %-escape (which isn't special here)

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo%20bar"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo%20bar

simplebasiccomma [TEST] [R]

WWW-Authenticate: Basic , realm="foo"

Test Results
FF88	pass
FF90	pass
Safari	pass
Konq	pass
Chr90	pass

simple Basic auth, with a comma between schema and auth-param

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasiccomma2 [TEST] [R]

WWW-Authenticate: Basic, realm="foo"

                              ^ (PARSE ERROR)

Test Results
FF88	pass (ignores the header field)
FF90	pass (ignores the header field)
Safari	warn (accepts the header field)
Konq	pass (ignores the header field)
Chr90	pass (ignores the header field)

simple Basic auth, with a comma between schema and auth-param (this is invalid because of the missing space characters after the scheme name)

simplebasicnorealm [TEST] [R]

WWW-Authenticate: Basic

Test Results
FF88	warn (accepts the realm-less form)
FF90	warn (accepts the realm-less form)
Safari	warn (accepts the realm-less form, derives the presented value from the host name)
Konq	warn (accepts the realm-less form, derives the presented value from the host name)
Chr90	warn (accepts the realm-less form)

simple Basic auth, realm parameter missing

Extracted raw data:

scheme name	parameter name	parameter value
Basic

Invalid syntax: parameter 'realm' needs to appear exactly once for 'basic' challenge.

simplebasic2realms [TEST] [R]

WWW-Authenticate: Basic realm="foo", realm="bar"

Test Results
FF88	warn (takes the first realm)
FF90	warn (accepts the syntax, but does not display a realm)
Safari	warn (takes the second realm)
Konq	warn (takes the first realm)
Chr90	warn (accepts the syntax, but does not display a realm)

simple Basic auth with two realm parameters

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"
	realm	"bar"

Invalid syntax: parameter 'realm' needs to appear exactly once for 'basic' challenge.

simplebasicwsrealm [TEST] [R]

WWW-Authenticate: Basic realm = "foo"

Test Results
FF88	fail
FF90	warn (does not display the realm name)
Safari	pass
Konq	fail
Chr90	warn (does not display the realm name)

simple Basic auth, (bad) whitespace used in auth-param assignment

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasicrealmsqc [TEST] [R]

WWW-Authenticate: Basic realm="\f\o\o"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	fail (fails to unescape, thus sees the realm `\f\o\o`)
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, with realm using quoted string escapes

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"\f\o\o"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo

simplebasicrealmsqc2 [TEST] [R]

WWW-Authenticate: Basic realm="\"foo\""

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	fail (fails to unescape, thus sees the realm `"\foo\"`)
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, with realm using quoted string escapes

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"\"foo\""

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	"foo"

simplebasicnewparam1 [TEST] [R]

WWW-Authenticate: Basic realm="foo", bar="xyz",, a=b,,,c=d

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, with additional auth-params

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo"
	bar	"xyz"
	a	b
	c	d

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo
	bar	xyz
	a	b
	c	d

simplebasicnewparam2 [TEST] [R]

WWW-Authenticate: Basic bar="xyz", realm="foo"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, with an additional auth-param (but with reversed order)

Extracted raw data:

scheme name	parameter name	parameter value
Basic	bar	"xyz"
	realm	"foo"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	bar	xyz
	realm	foo

simplebasicrealmiso88591 [TEST] [R]

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, using "a umlaut" character encoded using ISO-8859-1

Extracted raw data:

simplebasicrealmutf8 [TEST] [R]

WWW-Authenticate: Basic realm="foo-ä"

Test Results
FF88	pass (displayed as the two raw characters `ä`)
FF90	warn (does not display the realm name)
Safari	pass (displayed as the two raw characters `ä`)
Konq	pass (displayed as the two raw characters `ä`)
Chr90	warn (does not display the realm name)

simple Basic auth, using "a umlaut" character encoded using UTF-8

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"foo-ä"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	foo-ä

simplebasicrealmrfc2047 [TEST] [R]

WWW-Authenticate: Basic realm="=?ISO-8859-1?Q?foo-=E4?="

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

simple Basic auth, using "a umlaut" character encoded using RFC 2047

RFC 2047 does not apply to quoted-strings, so the realm really is =?ISO-8859-1?Q?foo-=E4?=

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"=?ISO-8859-1?Q?foo-=E4?="

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	=?ISO-8859-1?Q?foo-=E4?=

Multiple Challenges

Various tests checking multiple challenges.

multibasicunknown [TEST] [R]

WWW-Authenticate: Basic realm="basic", Newauth realm="newauth"

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

a header field containing two challenges, one of which unknown

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"basic"

scheme name	parameter name	parameter value
Newauth	realm	"newauth"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth	realm	newauth

multibasicunknownnoparam [TEST] [R]

WWW-Authenticate: Basic realm="basic", Newauth

Test Results
FF88	pass
FF90	warn (does not display the realm name)
Chr90	fail (doesn't see the Basic challenge (see Chrome Issue 103220))

a header field containing two challenges, one of which unknown and has no parameters

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"basic"

scheme name	parameter name	parameter value
Newauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth

multibasicunknown2 [TEST] [R]

WWW-Authenticate: Newauth realm="newauth", Basic realm="basic"

Test Results
FF88	fail (doesn't see the Basic challenge (see Mozilla Bug 669675))
FF90	fail (doesn't see the Basic challenge (see Mozilla Bug 669675))
Safari	pass
Konq	pass
Chr90	fail (doesn't see the Basic challenge (see Chrome Issue 103220))

as above, but with challenges swapped

Extracted raw data:

scheme name	parameter name	parameter value
Newauth	realm	"newauth"

scheme name	parameter name	parameter value
Basic	realm	"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth	realm	newauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

multibasicunknown2np [TEST] [R]

WWW-Authenticate: Newauth, Basic realm="basic"

Test Results
FF88	fail (doesn't see the Basic challenge)
FF90	fail (doesn't see the Basic challenge)
Chr90	fail (doesn't see the Basic challenge (see Chrome Issue 103220))

as above, but with challenges swapped

Extracted raw data:

scheme name	parameter name	parameter value
Newauth

scheme name	parameter name	parameter value
Basic	realm	"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

multibasicunknown2mf [TEST] [R]

WWW-Authenticate: Newauth realm="newauth"
WWW-Authenticate: Basic realm="basic"

Test Results
FF88	pass
FF90	pass
Safari	pass
Konq	pass
Chr90	warn (does not display the realm name)

as above, but using two header fields

Extracted raw data:

scheme name	parameter name	parameter value
Newauth	realm	"newauth"

scheme name	parameter name	parameter value
Basic	realm	"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth	realm	newauth

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

multibasicempty [TEST] [R]

WWW-Authenticate: ,Basic realm="basic"

Test Results
FF88	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF90	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
Safari	fail (doesn't see the Basic challenge)
Konq	pass
Chr90	fail (doesn't see the Basic challenge)

a header field containing one Basic challenge, following an empty one

Extracted raw data:

scheme name	parameter name	parameter value
Basic	realm	"basic"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	basic

multibasicqs [TEST] [R]

WWW-Authenticate: Newauth realm="apps", type=1, title="Login to \"apps\"", Basic realm="simple"

Test Results
FF88	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF90	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
Safari	pass
Konq	pass
Chr90	fail (doesn't see the Basic challenge)

a header field containing two challenges, the first one for a new scheme and having a parameter using quoted-string syntax

Extracted raw data:

scheme name	parameter name	parameter value
Newauth	realm	"apps"
	type	1
	title	"Login to \"apps\""

scheme name	parameter name	parameter value
Basic	realm	"simple"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth	realm	apps
	type	1
	title	Login to "apps"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	simple

multidisgscheme [TEST] [R]

WWW-Authenticate: Newauth realm="Newauth Realm", basic=foo, Basic realm="Basic Realm"

Test Results
FF88	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
FF90	fail (doesn't see the Basic challenge (likely the same as Mozilla Bug 669675))
Safari	pass
Konq	pass
Chr90	fail (doesn't see the Basic challenge)

a header field containing two challenges, the first one for a new scheme and having a parameter called "Basic"

Extracted raw data:

scheme name	parameter name	parameter value
Newauth	realm	"Newauth Realm"
	basic	foo

scheme name	parameter name	parameter value
Basic	realm	"Basic Realm"

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
newauth	realm	Newauth Realm
	basic	foo

After post-processing the authentication scheme name, parameter names, and parameter values:

scheme name	parameter name	parameter value
basic	realm	Basic Realm

Test Case Generation

Both this document and the indiviual test "scripts" are generated from one single XML source (httpauth.xml), using an XSLT2 transformation (httpauth.xslt).

To generate the files, an XSLT2 processor such as Saxon 9 is needed. Copy both files into an empty directory, then run:

Note that this will also generate a set of "*.asis" and "nph-*.cgi" files that contain the actual test cases. The "*.asis" files need to be served using the Apache httpd mod_asis module.

Test Cases for HTTP Test Cases for the HTTP WWW-Authenticate header field

Related Reading

Browsers Tested

Test Result Summary

Test Cases

Basic

simplebasic [TEST] [R]

simplebasiclf [TEST] [R]

simplebasicucase [TEST] [R]

simplebasictok [TEST] [R]

simplebasictokbs [TEST] [R]

simplebasicsq [TEST] [R]

simplebasicpct [TEST] [R]

simplebasiccomma [TEST] [R]

simplebasiccomma2 [TEST] [R]

simplebasicnorealm [TEST] [R]

simplebasic2realms [TEST] [R]

simplebasicwsrealm [TEST] [R]

simplebasicrealmsqc [TEST] [R]

simplebasicrealmsqc2 [TEST] [R]

simplebasicnewparam1 [TEST] [R]

simplebasicnewparam2 [TEST] [R]

simplebasicrealmiso88591 [TEST] [R]

simplebasicrealmutf8 [TEST] [R]

simplebasicrealmrfc2047 [TEST] [R]

Multiple Challenges

multibasicunknown [TEST] [R]

multibasicunknownnoparam [TEST] [R]

multibasicunknown2 [TEST] [R]

multibasicunknown2np [TEST] [R]

multibasicunknown2mf [TEST] [R]

multibasicempty [TEST] [R]

multibasicqs [TEST] [R]

multidisgscheme [TEST] [R]

Unknown Schemes

unknown [TEST] [R]

parametersnotrequired [TEST] [R]

Parsing quirks

disguisedrealm [TEST] [R]

disguisedrealm2 [TEST] [R]

missingquote [TEST] [R]

Test Case Generation