IETF Logo Mail Archive

[art] HTTP 3xx XOR 401

Nico Williams <nico@cryptonector.com> Fri, 22 March 2019 17:00 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E66151312C6 for <art@ietfa.amsl.com>; Fri, 22 Mar 2019 10:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCN01tREo0aU for <art@ietfa.amsl.com>; Fri, 22 Mar 2019 10:00:26 -0700 (PDT)
Received: from golden.birch.relay.mailchannels.net (golden.birch.relay.mailchannels.net [23.83.209.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F6F0131297 for <art@ietf.org>; Fri, 22 Mar 2019 10:00:26 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id A21435C522B; Fri, 22 Mar 2019 17:00:23 +0000 (UTC)
Received: from pdx1-sub0-mail-a37.g.dreamhost.com (unknown [100.96.28.55]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 371255C5340; Fri, 22 Mar 2019 17:00:23 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a37.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Fri, 22 Mar 2019 17:00:23 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thoughtful-Rock: 3242961e1223c49d_1553274023430_3479663806
X-MC-Loop-Signature: 1553274023430:4118814747
X-MC-Ingress-Time: 1553274023430
Received: from pdx1-sub0-mail-a37.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a37.g.dreamhost.com (Postfix) with ESMTP id A67BA8076C; Fri, 22 Mar 2019 10:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:mime-version:content-type; s= cryptonector.com; bh=g1eYqrhQnV/QccGh1zi2YK2zIlo=; b=yQ8k/8CuFiZ JlmesucNs6eNf2qMfLPdKEqjdHONuHb0/Vv0pg/u26wSuynMgI1ZbaSwNH8HR8IS v6ZfvfkmH7nn0kQ+faFFANMFopszjOJuIiTF2h0TTgZAmJG7rcgakXhgspfoP25X H/5lUyxwMU8Vz97Yv75ctW11dg5/RsSI=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a37.g.dreamhost.com (Postfix) with ESMTPSA id E97E77F570; Fri, 22 Mar 2019 10:00:19 -0700 (PDT)
Date: Fri, 22 Mar 2019 12:00:17 -0500
X-DH-BACKEND: pdx1-sub0-mail-a37
From: Nico Williams <nico@cryptonector.com>
To: art@ietf.org
Message-ID: <20190322170015.GN4211@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrjedugdeljecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggufgesthdtredttdervdenucfhrhhomheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqeenucffohhmrghinhepmhhitghrohhsohhfthdrtghomhenucfkphepvdegrddvkedruddtkedrudekfeenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/T4nP5Rv91yuE0ew8p0vJh2fX1IM>
Subject: [art] HTTP 3xx XOR 401
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2019 17:00:29 -0000

The rise of 3xx, redirect-based HTTP authentication/authorization
schemes has caused a problem: 3xx results are mutually-exclusive with
401-based authentication schemes.

This means: the server gets to choose {SAML, OAuth, ...} xor {API keys,
Negotiate (Kerberos, basically), Basic, SCRAM, ...}, but cannot "offer"
both and let the user-agent pick one.

The user-agent can "pre-flight" some HTTP authentication methods (API
keys, Negotiate/Kerberos) but not others (e.g., SCRAM), and other than
that.  Other than that, the only other way the user-agent can influence
the server's choice is via the User-Agent: header...

If you have a user-agent that cannot do OAuth (e.g., a non-browser
applications), then you have a problem: you have to know a priori to
pre-flight the API keys / Kerberos / whatever, or the server has to
decide which of 3xx or 401 to respond with based on... the User-Agent:
header value.

Oof.  Just sayin'.

Fixing this may require a time machine -- one that can go back in time,
and I don't have access to one.  Here's how I would fix this if I had
one:

 - Blend 3xx with 401.  E.g., 3xx responses could carry
   WWW-Authenticate: headers to indicate "chase the redirect OR
   authenticate".  Or 401s could carry an optional redirect URI, perhaps
   as an authentication method, perhaps with a header other than
   WWW-Authenticate:.

   This way user-agents can choose based on _their_ capabilities.

 - Let 3xx redirects from authorization headers carry Authorization:
   headers that user-agents can/must then add to the next request when
   chasing the referral.

   This way a very dumb user-agent that can use HTTP authentication or
   TLS user certificates to authenticate to an authorization server
   could just chase referrals to get authorized at the relying party.

There are user-agents and servers that support the second fix, actually!
The Windows PowerShell Invoke-WebRequest command-let has a
-PreserveAuthorizationOnRedirect option described as:

|   Indicates the cmdlet should preserve the Authorization header, when
|   present, across redirections.
|
|   By default, the cmdlet strips the Authorization header before redirecting.
|   Specifying this parameter disables this logic for cases where the header
|   needs to be sent to the redirection location.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-6

I suppose that implies that there are servers that do include an
Authorization header in 3xx replies, though I don't know which those
are.

Without a time machine... we can still do the above, but perhaps also:

 - Add a request header by which user-agents can idicate their
   authentication capabilities, which servers could use to choose
   between 3xx and 401.

   Since borwsers could quickly start supporting this, servers could
   default to 401 in the absence of this header sometime soon and end up
   doing the right thing 95% of the time.

Nico
--

v2.23.0 | Report a Bug | By Email