W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: [OAUTH-WG] OAuth and HTTP caching

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 22 Sep 2009 10:09:16 -0700
Message-Id: <02F0580C-C72D-402B-9734-8CC6648E6485@gbiv.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "oauth@ietf.org" <oauth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: John Panzer <jpanzer@google.com>
On Sep 21, 2009, at 2:56 PM, John Panzer wrote:

> On the server side, one of the concerns in the past has been  
> security in shared hosting systems where e.g., basic auth data  
> should be handled by a secure container (Apache) and not passed on  
> in raw form to hosted CGI scripts.  So some of this comes back to  
> what minimum level of hosting should be targeted by the  
> specification -- and how much it should bend over backwards to deal  
> with "challenged" environments.

That is only a concern for Basic auth, AFAIK.  Apache could tweak it
to only forward unhandled non-Basic credentials to CGI or just a summary
of what has been validated, though some indication of what needs to be
forwarded would be useful.

> My $.02 is that we should follow the HTTP spec (Authorization: and  
> WWW-Authenticate:) and take a minimum distance path to route around  
> limited environments if necessary (X-Authorization: and X-WWW- 
> Authenticate:, with exactly the same content, would be my proposal).

Just follow the HTTP spec.  Someone will implement it.  If people try to
bypass HTTP extensibility mechanisms with stupid hacks that get shipped
in production software, Apache will add code to strip their information
from the stream before anyone sees it.

Received on Tuesday, 22 September 2009 17:10:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:51 UTC