W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 22 Feb 2012 07:49:14 +0100
To: Robert Collins <robertc@squid-cache.org>
Cc: Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20120222064914.GE20770@1wt.eu>
On Wed, Feb 22, 2012 at 11:53:27AM +1300, Robert Collins wrote:
(...)
> OAuth certainly *thinks* it provides *both* Authentication *and*
> Authorization, and it uses the same header that Basic and Digest do -
> Authorization.

I think that this simply shows a semantic mistake from the past, where
authentication and authorization were a bit conflated. Look at the HTTP
headers, you have the server send "www-authenticate", and the client
responds with "authorization" ! At least this is a point we should clarify
in the next version, because I know too many people who consider that
authenticated == authorized. And this is also one reason for http-based
auth not being *that* much deployed in the applications world since they
have to pretend an authentication failure (401) to report a lack of
authorization if/when they want to offer the client a chance to try other
credentials.

Regards,
Willy
Received on Wednesday, 22 February 2012 06:49:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:56 GMT