Re: Accountability in AC4CSR from Ian Hickson on 2008-02-13 (public-appformats@w3.org from February 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 13 Feb 2008 23:36:05 +0000 (UTC)
To: John Panzer <jpanzer@acm.org>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <Pine.LNX.4.62.0802132328040.20115@hixie.dreamhostps.com>

On Wed, 13 Feb 2008, John Panzer wrote:
> 
> An API needs to do an authorization check on a CSR request, not an 
> authentication check.  For CSR especially, just doing an authn check 
> doesn't give you valid evidence of authorization.

Agreed.

> Some of today's APIs like Flickr put authorization evidence into URL 
> query parameters for CSR.  It's mildly bad to do this because such 
> things are more likely to get logged and sniffed than headers, and you 
> can't separate the resource URL from the authorization proof being 
> presented to use it, which would be useful in caching.

Also agreed. That's one of the reasons that XMLHttpRequest + Access 
Control together let you set arbitrary extension headers.

> The OAuth spec uses
> 
>    Authorization: OAuth ...
> 
> by preference for these reasons, where the ... represents an 
> authorization proof provided by the party A script. It looks like this 
> is disallowed by the AC4CSR specification.

Right, you'd have to use X-OAuth or something like that. "Authorization" 
headers are reserved for user and client authentication [sic], as 
described in HTTP 1.1 section 14.8.

> 1. Should OAuth invent a new header for authorization?  That is, should 
> we not be using Authorization: for authorization?

When it's direct A-B communication, and A is authenticating to B, then 
Authorization: is appropriate. When there are three parties, and the 
communication is from C to B on behalf of A, the Authorization: header is 
authenticating C, not A. A needs to use different headers in this case.

> 2. Should the spec wording ban only authentication uses of the 
> Authorization header (that is, Basic/Digest) and allow authorization 
> uses of Authorization (e.g., OAuth)?

It's not really about authentication vs authorization, but about who is 
being authenticated or authorized. We don't want to allow sites to perform 
authentication or authorization on the user's behalf.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 13 February 2008 23:36:17 UTC