W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: Proposal: 3xx (Unauthorized, See Other) status

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 23 Jan 2009 11:25:29 +1100
Cc: ietf-http-wg@w3.org
Message-Id: <F7C69B53-BF4D-43DA-A112-A13C6334B946@mnot.net>
To: Thomas Broyer <t.broyer@gmail.com>

Hi Thomas,

We're not chartered to do extension work, but you can certainly use  
the mailing list for review and discussion.

BTW, this sounds a little bit like a previous discussion;


On 20/01/2009, at 10:02 AM, Thomas Broyer wrote:

> Hi all,
> For the purpose of my http-cookie-auth I-D [1], I'm currently doing a
> survey of the current authentication mechanisms (other than RFC 2617)
> used "on the wild."
> Most Single Sign-On systems involve a redirection from the Service
> Provider (a.k.a Consumer) to the Identity Provider (which redirects
> back to the SP with some token or "assertion", but that's not the
> concern here).
> In some cases, the SP and IdP share the same "root domain" (e.g.
> docs.google.com, mail.google.com, www.google.com/reader,
> www.google.com/accounts; http://fr-fr.facebook.com,
> https://www.facebook.com) so a 401 (Unauthorized) could be used (see
> example 2 in draft-broyer-http-cookie-auth [1]), and access granted
> through a cookie with the appropriate Domain attribute value (in
> Google's case, Domain=.google.com), even though using distinct cookies
> might be a better choice for security.
> In other cases though, it is not possible (the SP and IdP do not share
> a common "root domain", as is the case for e.g. www.flickr.com and
> login.yahoo.com). There are possible workarounds using a meta refresh
> and/or some javascript (see notes about the yet-to-be-written example
> 3 in draft-broyer-http-cookie-auth [1], a no-code demo can be found at
> [2], file source avail. at [3]) but that's not ideal.
> In both cases, for instance, if the SP runs on HTTP and the IdP on
> HTTPS, if the 401 payload contains an HTML "login form", the user
> cannot know before hand that the form will be submitted on a secured
> channel to the IdP (this is a problem with the UA, but IMO not only,
> as it's also related to CSRF and to phishing).
> I therefore wonder if a new 3xx status had been proposed before, in
> order to communicate lack of authorization (same as a 401) but
> redirecting/deferring to another resource to authenticate the user.
> If it has not been proposed/discussed before, would HTTPbis be a good
> place to define it, or should/could I include it in
> draft-broyer-http-cookie-auth (as cookies are the only
> non-SSL-client-cert non-RFC2617 "authentication" mechanism that I know
> of) or some other I-D?
> If people want some "literature" about such SSO systems, one is spec'd
> as part of SAML 2.0 [4] in the SSO profile.
> [1] http://ltgt.net/projects/http-cookie-auth/draft-broyer-http-cookie-auth-00.html
> [2] http://ltgt.net/tests/http-cookie-auth/test01/
> [3] http://hg.ltgt.net/http-cookie-auth/file/tip/tests/test01
> [4] http://saml.xml.org
> -- 
> Thomas Broyer

Mark Nottingham     http://www.mnot.net/
Received on Friday, 23 January 2009 00:26:09 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:48 UTC