W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: [OAUTH-WG] OAuth and HTTP caching

From: Roy T. Fielding <fielding@gbiv.com>
Date: Tue, 22 Sep 2009 10:47:58 -0700
Message-Id: <EF3CB9C1-ADF7-451F-B075-527BFFF5242C@gbiv.com>
Cc: John Panzer <jpanzer@google.com>, "oauth@ietf.org" <oauth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Eran Hammer-Lahav <eran@hueniverse.com>
On Sep 22, 2009, at 10:24 AM, Eran Hammer-Lahav wrote:

>> -----Original Message-----
>> From: Roy T. Fielding [mailto:fielding@gbiv.com]
>> Sent: Tuesday, September 22, 2009 10:09 AM
>
>> Just follow the HTTP spec.
>
> That what I am trying to figure out...
>
> Does the HTTP spec mandates that new authentication protocols use  
> the WWW-Authenticate and Authorization headers?

HTTP is not aware of any other kinds of authentication.  There is no  
reason
to specify anything else.

> Are the headers required for existing caches and servers to operate  
> properly?

Yes (and for user agents as well).  Don't forget about Proxy-Auth*.

> If they are not included in authenticated requests, are there other  
> requirements to make sure it doesn't break existing deployment?

Cache-control: private

is probably needed if the Auth headers are not being used but the
response depends on something like cookies for authentication.

....Roy
Received on Tuesday, 22 September 2009 17:48:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:10 GMT