W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 26 Jul 2011 16:18:04 -0400
Cc: Julian Reschke <julian.reschke@gmx.de>, Yutaka OIWA <y.oiwa@aist.go.jp>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <0374312E-73DC-4A2E-B659-01EFB355CFD9@mnot.net>
To: Adrien de Croy <adrien@qbik.com>

On 26/07/2011, at 4:11 PM, Adrien de Croy wrote:

> apologies, but I'm still not convinced overloading a new function onto WWW-Authenticate is the best way to advertise the availability of optional authentication.
> It creates an immediate dilemma for any UA that receives such a message.
> What are the options for the UA, and how will they affect user experience?
> If the UA always elects to proceed to auth, then it's the same as sending back a 401
> if the UA tries to give the choice to the user, that's (IMO) asking for pain
> otherwise the UA can ignore it, and it's just more bloat.
> Also I just see it breaking a whole heap of agents who switch behaviour on the presence of that header (rather than the status).
> Finally, we see UAs starting auth without this header in the first place.  So does this really need advertising anyway?
> If this is to be new behaviour, shouldn't we use a new header or status? That way we can keep it out of the way.

All we're doing is leaving the door open for the possibility in the future, explicitly; we're not requiring anything, and a future effort can figure out what the best thing to do is.

Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 26 July 2011 20:18:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC