RFC 7235 states that this header presents two authentication mechanisms:
WWW-Authenticate: Newauth realm="apps", type=1,
title="Login to \"apps\"", Basic realm="simple"
I have problems parsing this grammar and the RFC isn't helping, as it doesn't describe it. If an application should try to do so, I can't just try to split on commas, as that is used both to separate the authentications mechanisms and their parameters.
Would I be correct in my understanding if I were to find the start of each auth mechanism using a regex like \w+ realm=
?
Well, the (ABNF) grammar does describe how to parse it. And no, a simple regexp like that is not going to work properly.
The field value consists of comma separated challenges. Each challenge starts with a scheme name, optionally followed by a single SP character and parameters, each of which comma separated. You can't rely on "realm" being the first parameter.
Yes, this is hard to parse. Unfortunately this mess has been created in the 90s, and backwards compat makes it hard to fix it.
(BTW: you can't split on "," because the value of a parameter can indeed contain a comma, when in double quotes).
PS: there's a test suite at http://test.greenbytes.de/tech/tc/httpauth/. It uses regexps based on the ABNF grammar.