W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: WWW-Authenticate, Authorization and 401's

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 20 Aug 2007 13:38:50 +1000
Message-Id: <231798E7-E84C-444A-879F-77718FCBFE09@mnot.net>
Cc: ietf-http-wg@w3.org
To: Hugo Haas <hugo@yahoo-inc.com>

http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78


On 26/07/2007, at 10:30 AM, Hugo Haas wrote:

>
> Hi,
>
> I'm trying to figure out how the WWW-Authenticate header relates to  
> the Authorization header.
>
> Authentication in an HTTP request is not always done with the  
> Authorization header. It's sometimes done with cookies for example.  
> When a user is not authenticated and authentication is required,  
> returning a 401 seems natural:
>
> [[
>
> 10.4.2 401 Unauthorized
>
>    The request requires user authentication.
>
> ]] -- RFC2616
>
> 401 requires a WWW-Authenticate header, which itself requires a  
> scheme and a realm:
>
> [[
>
>    The response MUST include a
>    WWW-Authenticate header field (section 14.47) containing a  
> challenge
>    applicable to the requested resource.
>
> ]] -- RFC2616
>
> and:
>
> [[
>
>    The 401 (Unauthorized) response message is used by an origin server
>    to challenge the authorization of a user agent. This response MUST
>    include a WWW-Authenticate header field containing at least one
>    challenge applicable to the requested resource.
>
> []
>
>    The realm directive (case-insensitive) is required for all
>    authentication schemes that issue a challenge.
>
> ]] -- RFC2617
>
> The scheme and realm are concepts that are core to the HTTP  
> authentication framework defined in RFC 2617. However, it's not  
> clear whether the Authorization header is the required response to  
> this WWW-Authenticate challenge:
>
> [[
>
>    The client MAY repeat the
>    request with a suitable Authorization header field (section  
> 14.8). If
>    the request already included Authorization credentials, then the  
> 401
>    response indicates that authorization has been refused for those
>    credentials.
>
> ]] -- RFC 2616
>
> [[
>
>    A user agent that wishes to authenticate itself with an origin
>    server--usually, but not necessarily, after receiving a 401
>    (Unauthorized)--MAY do so by including an Authorization header  
> field
>    with the request.
>
> ]] -- RFC 2617
>
> Does this mean that the client may repeat the request with  
> credentials, and if so this must be done with the Authorization  
> header, or that the client may repeat the request with the right  
> credentials, and may do so with the Authorization header or using  
> some other way?
>
> If the former, that would mean that the 401 error code is reserved  
> to the use of the Authorization request header. That would be  
> unfortunate as having an error code for standard unauthorized  
> responses is handy for obvious reasons.
>
> Additionally, RFC 2616 talks about 401 pertaining to user  
> authentication:
>
> [[
>
> 10.4.2 401 Unauthorized
>
>    The request requires user authentication.
>
> ]] -- RFC2616
>
> while RFC 2617 talks about authenticating the user agent:
>
> [[
>
>    The 401 (Unauthorized) response message is used by an origin server
>    to challenge the authorization of a user agent.
>
> ]] -- RFC 2617
>
> A request may carry credentials for a number of things (the user,  
> the calling application, etc.), and 401 seems like a good response  
> code for those, with the meaning that some credentials that the  
> server was expecting were not found.
>
> Regards,
>
> Hugo


--
Mark Nottingham     http://www.mnot.net/
Received on Monday, 20 August 2007 03:39:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT