W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

RE: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Mon, 25 Jul 2011 13:19:37 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E112892DE4A4@WSMSG3153V.srv.dir.telstra.com>
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.

Great.


> and,
>
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.

Not so great.

If an authentication mechanism uses the Authorization header then it benefits from some default caching rules. Good.
Plenty of other authentication mechanisms don't use that header, primarily because they operate at higher or lower layers of the protocol stack (eg forms, cookies, TLS...). Even in these cases a WWW-Authenticate response header can be a useful signal about the authentication options available. They may need to handle caching explicitly, but they can do that.

If anything needs to be said, perhaps something like the following could be appended to section 4.1 "Authorization":

  A server may need to explicitly indicate the cachability of responses
  if a request uses an authentication mechanism that does not involve
  the Authorization header.

--
James Manger
Received on Monday, 25 July 2011 03:20:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:45 GMT