Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Julian Reschke <julian.reschke@gmx.de> Tue, 26 July 2011 20:06 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04A1B11E8088 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 13:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.266
X-Spam-Level:
X-Spam-Status: No, score=-9.266 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id El8yQ0it9Tvi for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 13:06:03 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2E4BE21F86D2 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jul 2011 13:06:03 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Qlnsq-0002qe-Mg for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 20:05:40 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <julian.reschke@gmx.de>) id 1Qlnsi-0002kP-Be for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 20:05:32 +0000
Received: from mailout-de.gmx.net ([213.165.64.22]) by maggie.w3.org with smtp (Exim 4.72) (envelope-from <julian.reschke@gmx.de>) id 1Qlnsg-0007ZR-JS for ietf-http-wg@w3.org; Tue, 26 Jul 2011 20:05:31 +0000
Received: (qmail invoked by alias); 26 Jul 2011 20:05:04 -0000
Received: from dhcp-14e3.meeting.ietf.org (EHLO [130.129.20.227]) [130.129.20.227] by mail.gmx.net (mp020) with SMTP; 26 Jul 2011 22:05:04 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+ARvxMj5KAJjTuvaRhSjrAkGvtcDQIdM5MUtc6dR dpbA7jewTbRqvq
Message-ID: <4E2F1DEC.9030809@gmx.de>
Date: Tue, 26 Jul 2011 22:05:00 +0200
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
In-Reply-To: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=213.165.64.22; envelope-from=julian.reschke@gmx.de; helo=mailout-de.gmx.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Qlnsg-0007ZR-JS 57d6f29c9311322ab368becbc38dcbb9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2F1DEC.9030809@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11104
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Qlnsq-0002qe-Mg@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 20:05:40 +0000

On 2011-07-24 20:06, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
>
> and,
>
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.
>
> --
> Mark Nottingham   http://www.mnot.net/

OK, proposed patch: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/78/78.diff>

This adds the following point to the Considerations for new schemes:

    o  The credentials carried in an Authorization header field are
       specific to the User Agent, and therefore have the same effect on
       HTTP caches as the "private" Cache-Control response directive,
       within the scope of the request they appear in.

       Therefore, new authentication schemes which choose not to carry
       credentials in the Authorization header (e.g., using a newly
       defined header) will need to explicitly disallow caching, by
       mandating the use of either Cache-Control request directives
       (e.g., "no-store") or response directives (e.g., "private").


An updates the description of WWW-A to:

4.4.  WWW-Authenticate

    The "WWW-Authenticate" header field consists of at least one
    challenge that indicates the authentication scheme(s) and parameters
    applicable to the effective request URI (Section 4.3 of [Part1]).

    It MUST be included in 401 (Unauthorized) response messages and MAY
    be included in other response messages to indicate that supplying
    credentials (or different credentials) might affect the response.

      WWW-Authenticate = 1#challenge

    User agents are advised to take special care in parsing the WWW-
    Authenticate field value as it might contain more than one challenge,
    or if more than one WWW-Authenticate header field is provided, the
    contents of a challenge itself can contain a comma-separated list of
    authentication parameters.

Best regards, Julian