Re: WG Review: Recharter of Hypertext Transfer Protocol Bis (httpbis)

On 2012-02-22 07:49, Willy Tarreau wrote:
> On Wed, Feb 22, 2012 at 11:53:27AM +1300, Robert Collins wrote:
> (...)
>> OAuth certainly *thinks* it provides *both* Authentication *and*
>> Authorization, and it uses the same header that Basic and Digest do -
>> Authorization.
>
> I think that this simply shows a semantic mistake from the past, where
> authentication and authorization were a bit conflated. Look at the HTTP
> headers, you have the server send "www-authenticate", and the client
> responds with "authorization" ! At least this is a point we should clarify
> in the next version, because I know too many people who consider that

We can clarify it in *this* version. Do you have a specific proposal for 
Part 7?

> authenticated == authorized. And this is also one reason for http-based
> auth not being *that* much deployed in the applications world since they
> have to pretend an authentication failure (401) to report a lack of
> authorization if/when they want to offer the client a chance to try other
> credentials.

<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-18.html#status.403>:

"7.4.4 403 Forbidden

The server understood the request, but refuses to authorize it. 
Providing different user authentication credentials might be successful, 
but any credentials that were provided in the request are insufficient. 
The request SHOULD NOT be repeated with the same credentials.

If the request method was not HEAD and the server wishes to make public 
why the request has not been fulfilled, it SHOULD describe the reason 
for the refusal in the representation. If the server does not wish to 
make this information available to the client, the status code 404 (Not 
Found) MAY be used instead."

What's wrong with this status code? As far as I can tell, what's missing 
is UI, not protocol elements.

Best regards, Julian

Received on Wednesday, 22 February 2012 08:38:47 UTC