Domino HTTP Basic Authentication still uses ISO-8859-1
Daniel Nashed – 7 February 2019 03:44:32
Specially for Mobile devices HTTP Basic Authentication is needed.
Those devices don't understand login forms and forms based authentication.
For forms based authentication you can configure which charset to use and most environments should be already setup to use UTF-8.
For basic authentication there wasn't really a standard and the first implementations used ISO-8859-1.
I just had a support ticket with IBM double checking about a way to change the charset to UTF-8.
It's currently not possible and there is an enhancement request:
SPR # DKENAJTT9G :Enhancement: Non-ASCII UTF-8 passwords don't work over basicAuth
There is a newer RFC superseding the previous SPR.
I have looked a Domino idea to have this enhancement request on the radar --> https://domino.ideas.aha.io/ideas/DOMINO-I-570
-- Daniel
See https://tools.ietf.org/html/rfc7617 for details.
Since 2015 there is RFC 7617, which obsoletes RFC 2617. In contrast to the old RFC, the new RFC explicitly defines the character encoding to be used for username and password.
- The default encoding is still undefined. Is is only required to be compatible with US-ASCII (meaning it maps ASCII bytes to ASCII bytes, like UTF-8 does).
- The server can optionally send an additional authentication parameter charset="UTF-8" in its challenge, like this:
WWW-Authenticate: Basic realm="myChosenRealm", charset="UTF-8"
This announces that the server will accept non-ASCII characters in username / password, and that it expects them to be encoded in UTF-8 (specifically Normalization Form C). Note that only UTF-8 is allowed.
- Comments [2]