Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Julian Reschke <> Tue, 26 July 2011 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 04A1B11E8088 for <>; Tue, 26 Jul 2011 13:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.266
X-Spam-Status: No, score=-9.266 tagged_above=-999 required=5 tests=[AWL=1.333, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id El8yQ0it9Tvi for <>; Tue, 26 Jul 2011 13:06:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2E4BE21F86D2 for <>; Tue, 26 Jul 2011 13:06:03 -0700 (PDT)
Received: from lists by with local (Exim 4.69) (envelope-from <>) id 1Qlnsq-0002qe-Mg for; Tue, 26 Jul 2011 20:05:40 +0000
Received: from ([]) by with esmtp (Exim 4.69) (envelope-from <>) id 1Qlnsi-0002kP-Be for; Tue, 26 Jul 2011 20:05:32 +0000
Received: from ([]) by with smtp (Exim 4.72) (envelope-from <>) id 1Qlnsg-0007ZR-JS for; Tue, 26 Jul 2011 20:05:31 +0000
Received: (qmail invoked by alias); 26 Jul 2011 20:05:04 -0000
Received: from (EHLO []) [] by (mp020) with SMTP; 26 Jul 2011 22:05:04 +0200
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1+ARvxMj5KAJjTuvaRhSjrAkGvtcDQIdM5MUtc6dR dpbA7jewTbRqvq
Message-ID: <>
Date: Tue, 26 Jul 2011 22:05:00 +0200
From: Julian Reschke <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110624 Thunderbird/5.0
MIME-Version: 1.0
To: Mark Nottingham <>
CC: HTTP Working Group <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1Qlnsg-0007ZR-JS 57d6f29c9311322ab368becbc38dcbb9
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <>
X-Mailing-List: <> archive/latest/11104
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>
Resent-Message-Id: <>
Resent-Date: Tue, 26 Jul 2011 20:05:40 +0000

On 2011-07-24 20:06, Mark Nottingham wrote:
> <>
> Proposal:
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
> and,
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.
> --
> Mark Nottingham

OK, proposed patch: 

This adds the following point to the Considerations for new schemes:

    o  The credentials carried in an Authorization header field are
       specific to the User Agent, and therefore have the same effect on
       HTTP caches as the "private" Cache-Control response directive,
       within the scope of the request they appear in.

       Therefore, new authentication schemes which choose not to carry
       credentials in the Authorization header (e.g., using a newly
       defined header) will need to explicitly disallow caching, by
       mandating the use of either Cache-Control request directives
       (e.g., "no-store") or response directives (e.g., "private").

An updates the description of WWW-A to:

4.4.  WWW-Authenticate

    The "WWW-Authenticate" header field consists of at least one
    challenge that indicates the authentication scheme(s) and parameters
    applicable to the effective request URI (Section 4.3 of [Part1]).

    It MUST be included in 401 (Unauthorized) response messages and MAY
    be included in other response messages to indicate that supplying
    credentials (or different credentials) might affect the response.

      WWW-Authenticate = 1#challenge

    User agents are advised to take special care in parsing the WWW-
    Authenticate field value as it might contain more than one challenge,
    or if more than one WWW-Authenticate header field is provided, the
    contents of a challenge itself can contain a comma-separated list of
    authentication parameters.

Best regards, Julian