W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: [OAUTH-WG] OAuth and HTTP caching

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 22 Sep 2009 17:56:27 +1000
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <32C79DCD-0427-4253-98A0-1734BAB35C2D@mnot.net>
To: John Panzer <jpanzer@google.com>

On 22/09/2009, at 7:56 AM, John Panzer wrote:

> On the server side, one of the concerns in the past has been  
> security in shared hosting systems where e.g., basic auth data  
> should be handled by a secure container (Apache) and not passed on  
> in raw form to hosted CGI scripts.  So some of this comes back to  
> what minimum level of hosting should be targeted by the  
> specification -- and how much it should bend over backwards to deal  
> with "challenged" environments.

That's a good discussion to have.

> My $.02 is that we should follow the HTTP spec (Authorization: and  
> WWW-Authenticate:) and take a minimum distance path to route around  
> limited environments if necessary (X-Authorization: and X-WWW- 
> Authenticate:, with exactly the same content, would be my proposal).

Ugh. By allowing other resources on the same server to see  
authentication credentials, wouldn't that just re-open these attacks?

> --
> John Panzer / Google
> jpanzer@google.com / abstractioneer.org / @jpanzer
> On Mon, Sep 21, 2009 at 2:15 PM, Eran Hammer-Lahav <eran@hueniverse.com 
> > wrote:
> As currently written, OAuth use of the HTTP authentication headers  
> is optional at best.
> The reason for that was based on concerns that some platforms do not  
> provide access to the HTTP header in either the request or the  
> reply. However, this might have significant ramifications on caching  
> and other parts of HTTP where an indication of an authenticate  
> interaction is needed.
> Before the OAuth WG spends any time on discussing the various  
> methods of sending authentication parameters, I would like to find  
> out if using the authentication headers is more of a requirement for  
> such a protocol.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Mark Nottingham     http://www.mnot.net/
Received on Tuesday, 22 September 2009 07:57:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:51 UTC