Incorrect WWW-Authenticate formats

[pilcrowonpaper]

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

What specific section or headline is this issue about?

Syntax

What information was incorrect, unhelpful, or incomplete?

These formats do not conform to RFC 9110:

WWW-Authenticate: <auth-scheme> realm=<realm> token68
WWW-Authenticate: <auth-scheme> realm=<realm> token68 auth-param1=auth-param1-token , ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> realm=<realm> auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token
WWW-Authenticate: <auth-scheme> token68 auth-param1=auth-param1-token, ..., auth-paramN=auth-paramN-token

What did you expect to see?

They should not be documented.

Do you have any supporting links, references, or citations?

Per RFC 9110 section 11.6.1, WWW-Authenticate header value is defined as:

WWW-Authenticate = 1#challenge

Where challenge is defined as (section 11.3):

challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

If I'm reading this correctly, there can only be either a single token68 or a list of auth-param, and not both.

Do you have anything more you want to share?

It may also be helpful to document cases where there are multiple challenges in a single header:

WWW-Authenticate: <auth-scheme1> auth-param1=token1, ..., auth-paramN=auth-paramN-token, <auth-scheme2> auth-param1=token1, ..., auth-paramN=auth-paramN-token

[bsmth]

Thanks for reporting, I'm looking at these pages (HTTP headers in the [s-x] range) for general revisions and I've noted this needs addressing.

[bsmth]

This is fixed in the linked PR now. If you have some feedback, I'm happy to hear it. Thank you 👍🏻

[pilcrowonpaper]

Looks good to me, thanks!