Decode user ID and password as URI components

[OliverJAsh]

The user ID and password must be encoded in order to allow passwords that contain colons.

Would it be appropriate to encode them as URI components, thus escaping the colon if there is one anywhere in the credentials?

[jaredhanson]

I think #21 is the correct fix. The spec doesn't state that any encoding should be performed, so I don't think this would conform to the spec. Have you seen any guidance otherwise?

[OliverJAsh]

@jaredhanson You're right. However, is there anything to say that the user ID won’t contain a colon?

[OliverJAsh]

Interestingly it does specify userid = *<TEXT excluding ":">. Guess you can't use HTTP basic auth if your user IDs contain colons (or you'll have to encrypt it yourself).

In which case, I believe #21 is the correct fix. :-)

[jaredhanson]

Yeah, HTTP Basic auth leaves things a bit too open to interpretation for my mind. There are some specs from the early days of the Internet that define legal characters for usernames (and colon is not legal - IIRC, it's just alphanumerics, dash, and underscore). Obviously there are systems that don't respect this, which gives rise to this situation.

[OliverJAsh]

Interesting, thanks. Hoping we can get #21 merged and released! :-)