Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Amos Jeffries <> Tue, 26 July 2011 23:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D205E21F8786 for <>; Tue, 26 Jul 2011 16:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.561
X-Spam-Status: No, score=-10.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rwQmk4pjrXKt for <>; Tue, 26 Jul 2011 16:58:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4974E21F8784 for <>; Tue, 26 Jul 2011 16:58:28 -0700 (PDT)
Received: from lists by with local (Exim 4.69) (envelope-from <>) id 1QlrVO-0003X8-6D for; Tue, 26 Jul 2011 23:57:42 +0000
Received: from ([]) by with esmtp (Exim 4.69) (envelope-from <>) id 1QlrVB-0003SU-Ob for; Tue, 26 Jul 2011 23:57:30 +0000
Received: from [2002:3a1c:99e9:0:206:5bff:fe7c:b8a] ( by with esmtp (Exim 4.72) (envelope-from <>) id 1QlrV7-0003Ic-RN for; Tue, 26 Jul 2011 23:57:28 +0000
Received: by (Postfix, from userid 33) id 8FD82E7527; Wed, 27 Jul 2011 11:56:51 +1200 (NZST)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Wed, 27 Jul 2011 11:56:51 +1200
From: Amos Jeffries <>
In-Reply-To: <>
References: <> <> <> <> <> <>
Message-ID: <>
User-Agent: Roundcube Webmail/0.5.1
Received-SPF: permerror client-ip=2002:3a1c:99e9:0:206:5bff:fe7c:b8a;;
X-W3C-Hub-Spam-Status: No, score=-1.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RDNS_NONE=0.793
X-W3C-Scan-Sig: 1QlrV7-0003Ic-RN 3bf40a4d7f3b7a527b44bdf549218aef
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <>
X-Mailing-List: <> archive/latest/11108
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>
Resent-Message-Id: <>
Resent-Date: Tue, 26 Jul 2011 23:57:42 +0000

 On Tue, 26 Jul 2011 16:18:04 -0400, Mark Nottingham wrote:
> On 26/07/2011, at 4:11 PM, Adrien de Croy wrote:
>> apologies, but I'm still not convinced overloading a new function 
>> onto WWW-Authenticate is the best way to advertise the availability of 
>> optional authentication.
>> It creates an immediate dilemma for any UA that receives such a 
>> message.
>> What are the options for the UA, and how will they affect user 
>> experience?
>> If the UA always elects to proceed to auth, then it's the same as 
>> sending back a 401
>> if the UA tries to give the choice to the user, that's (IMO) asking 
>> for pain
>> otherwise the UA can ignore it, and it's just more bloat.

 The server also does not know which of those two behaviours the client 
 UA will choose.

 This opens the door for the form-base auth currently being proposed in 
 other WG. Websites placing login forms on, for example, their front 
 page. User agents with credentials available already can login silently. 
 Those without can choose to happily display the non-authed page without 
 annoying the user overly much. If the user does fill out the form 
 credentials become available and the page view can change without 
 caching problems.

 With some extra UA support this is all possible now. Just requires a 
 few things outside the HTTP spec to happen. Which means when this is 
 implemented compatibility will be a problem.

>> Also I just see it breaking a whole heap of agents who switch 
>> behaviour on the presence of that header (rather than the status).
>> Finally, we see UAs starting auth without this header in the first 
>> place.  So does this really need advertising anyway?
>> If this is to be new behaviour, shouldn't we use a new header or 
>> status? That way we can keep it out of the way.
> All we're doing is leaving the door open for the possibility in the
> future, explicitly; we're not requiring anything, and a future effort
> can figure out what the best thing to do is.

 +1 to foresight.