RE: #78: Relationship between 401, Authorization and WWW-Authenticate

"Manger, James H" <James.H.Manger@team.telstra.com> Mon, 25 July 2011 03:20 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00D925E8002 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 20:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.174
X-Spam-Level:
X-Spam-Status: No, score=-8.174 tagged_above=-999 required=5 tests=[AWL=2.425, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4q948-iSgvgZ for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 20:20:34 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 2E24A5E8001 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 24 Jul 2011 20:20:34 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QlBiL-0007Mf-33 for ietf-http-wg-dist@listhub.w3.org; Mon, 25 Jul 2011 03:20:17 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <James.H.Manger@team.telstra.com>) id 1QlBiD-0007I8-2T for ietf-http-wg@listhub.w3.org; Mon, 25 Jul 2011 03:20:09 +0000
Received: from ipxbno.tcif.telstra.com.au ([203.35.82.204]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <James.H.Manger@team.telstra.com>) id 1QlBiA-00027C-TF for ietf-http-wg@w3.org; Mon, 25 Jul 2011 03:20:08 +0000
X-IronPort-AV: E=Sophos;i="4.67,258,1309701600"; d="scan'208";a="40431641"
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipobni.tcif.telstra.com.au with ESMTP; 25 Jul 2011 13:19:39 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,6417"; a="32612867"
Received: from wsmsg3755.srv.dir.telstra.com ([172.49.40.196]) by ipcbni.tcif.telstra.com.au with ESMTP; 25 Jul 2011 13:19:38 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3755.srv.dir.telstra.com ([172.49.40.196]) with mapi; Mon, 25 Jul 2011 13:19:37 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Date: Mon, 25 Jul 2011 13:19:37 +1000
Thread-Topic: #78: Relationship between 401, Authorization and WWW-Authenticate
Thread-Index: AcxKLH2ZzsNF5YWZRimo0Ov0v2lIOgAR4TIg
Message-ID: <255B9BB34FB7D647A506DC292726F6E112892DE4A4@WSMSG3153V.srv.dir.telstra.com>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
In-Reply-To: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: none client-ip=203.35.82.204; envelope-from=James.H.Manger@team.telstra.com; helo=ipxbno.tcif.telstra.com.au
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001
X-W3C-Scan-Sig: maggie.w3.org 1QlBiA-00027C-TF 817e3f7b9b0b6efc57e5c15874c10aae
X-Original-To: ietf-http-wg@w3.org
Subject: RE: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/255B9BB34FB7D647A506DC292726F6E112892DE4A4@WSMSG3153V.srv.dir.telstra.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11067
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QlBiL-0007Mf-33@frink.w3.org>
Resent-Date: Mon, 25 Jul 2011 03:20:17 +0000

> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.

Great.


> and,
>
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.

Not so great.

If an authentication mechanism uses the Authorization header then it benefits from some default caching rules. Good.
Plenty of other authentication mechanisms don't use that header, primarily because they operate at higher or lower layers of the protocol stack (eg forms, cookies, TLS...). Even in these cases a WWW-Authenticate response header can be a useful signal about the authentication options available. They may need to handle caching explicitly, but they can do that.

If anything needs to be said, perhaps something like the following could be appended to section 4.1 "Authorization":

  A server may need to explicitly indicate the cachability of responses
  if a request uses an authentication mechanism that does not involve
  the Authorization header.

--
James Manger