Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Adrien de Croy <adrien@qbik.com> Tue, 26 July 2011 20:11 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 950AC11E8088 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 13:11:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.539
X-Spam-Level:
X-Spam-Status: No, score=-10.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8jwiPMZTei8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 26 Jul 2011 13:11:50 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id C75FF22800D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 26 Jul 2011 13:11:50 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Qlnyb-0004p7-BI for ietf-http-wg-dist@listhub.w3.org; Tue, 26 Jul 2011 20:11:37 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <adrien@qbik.com>) id 1QlnyT-0004nm-34 for ietf-http-wg@listhub.w3.org; Tue, 26 Jul 2011 20:11:29 +0000
Received: from smtp.qbik.com ([210.55.214.35]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <adrien@qbik.com>) id 1QlnyQ-00013j-Dw for ietf-http-wg@w3.org; Tue, 26 Jul 2011 20:11:28 +0000
Received: From [192.168.1.10] (unverified [122.57.152.217]) by SMTP Server [210.55.214.35] (WinGate SMTP Receiver v7.0.0 (Build 3259)) with SMTP id <0018410416@smtp.qbik.com>; Tue, 26 Jul 2011 20:10:55 +1200
Message-ID: <4E2F1F56.1080804@qbik.com>
Date: Wed, 27 Jul 2011 08:11:02 +1200
From: Adrien de Croy <adrien@qbik.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0) Gecko/20110714 Thunderbird/6.0
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
CC: Yutaka OIWA <y.oiwa@aist.go.jp>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <4E2EC0EE.8060200@aist.go.jp> <4E2EC55F.2050403@aist.go.jp> <4E2F1BAB.2090604@gmx.de>
In-Reply-To: <4E2F1BAB.2090604@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=210.55.214.35; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RP_MATCHES_RCVD=-1.193, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1QlnyQ-00013j-Dw d926d24cee723005a263511e04a71df1
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2F1F56.1080804@qbik.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11105
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Qlnyb-0004p7-BI@frink.w3.org>
Resent-Date: Tue, 26 Jul 2011 20:11:37 +0000

apologies, but I'm still not convinced overloading a new function onto 
WWW-Authenticate is the best way to advertise the availability of 
optional authentication.

It creates an immediate dilemma for any UA that receives such a message.

What are the options for the UA, and how will they affect user experience?

If the UA always elects to proceed to auth, then it's the same as 
sending back a 401
if the UA tries to give the choice to the user, that's (IMO) asking for pain
otherwise the UA can ignore it, and it's just more bloat.

Also I just see it breaking a whole heap of agents who switch behaviour 
on the presence of that header (rather than the status).

Finally, we see UAs starting auth without this header in the first 
place.  So does this really need advertising anyway?

If this is to be new behaviour, shouldn't we use a new header or status? 
That way we can keep it out of the way.


On 27/07/2011 7:55 a.m., Julian Reschke wrote:
> On 2011-07-26 15:47, Yutaka OIWA wrote:
>> On 2011/07/26 22:28, Yutaka OIWA wrote:
>>
>>> And if this change text intends to introduce any opportunity
>>> for optional authentication to HTTP at this time,
>>> I think we need more detailed restrictions to make it really work.
>>> If the intention is just to clarify header meanings and
>>> leave the rest for future work, it is OK for me.
>>
>> just FYI, the following is the list of required additional rules
>> to make optional auth work.
>>
>> (1) The response for successful authentication MUST NOT contain
>>      any WWW-Authenticate: header.
>
> Not sure about that.
>
> If we allow WWW-A on a non-authenticated 200 response, why not also on 
> an authenticated one?
>
>> (2) The response for failed authentication is RECOMMENDED to be
>>      401 status, even if a request for the same URL and method without
>>      Authorization: header will result in 200 status with 
>> WWW-Authenticate:
>>      header.
>
> I agree with this one, but, as Mark said, let's leave that to future 
> work.
>
> > ...
>
> Best regards, Julian
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com