RE: Authentication realm from Eran Hammer-Lahav on 2009-12-07 (ietf-http-wg@w3.org from October to December 2009)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Mon, 7 Dec 2009 09:44:38 -0700
To: Julian Reschke <julian.reschke@gmx.de>
CC: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723437852939F5@P3PW5EX1MB01.EX1.SECURESERVER.NET>

> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Monday, December 07, 2009 3:15 AM
> To: Eran Hammer-Lahav
> Cc: HTTP Working Group (ietf-http-wg@w3.org)
> Subject: Re: Authentication realm
> 
> Eran Hammer-Lahav wrote:
> > RFC 2617 declares:
> >
> >    The realm directive (case-insensitive) is required for all
> >    authentication schemes that issue a challenge.
> >
> > But does not use normative REQUIRED. Also, the ABNF defines challenge
> as:
> 
> "required" is as normative as "REQUIRED". See
> <http://tools.ietf.org/html/bcp14>:
> 
> "These words are *often* capitalized.
> 
> (emphasis mine)

Ok.

> > As currently defined, realm doesn't fully cover the use cases of the
> proposed Token scheme (OAuth WG). We will need to either redefine it,
> supplement it, or replace it. Either way, we need to know what is dictated by
> the HTTP authentication framework.
> 
> Could you elaborate on that?

The main idea behind the Token scheme [1] is to support multiple classes of credentials. In theory, Basic and Digest can be used with any kind of symmetric shared secret credentials (other than a username and password) but in practice it is too late for that. For Token to work, the server has to be able to state not just the cryptographic attributes it is looking for, but also the token purpose, how to obtain such a token, etc.

It is not clear to me that in such an arrangement, there is value in partitioning resource access at the resource. Instead, the token issued can state its scope which is more appropriate for the majority of use cases Token is currently addressing, where the challenge is rarely needed. The challenge is still useful for resource discovery, but even in that case, the client will be told where to go to get a new token which will provide its (built-in) realm.

If this is too confusing, I'm sorry. I am still trying to figure out the right level of abstraction.

EHL

[1] http://tools.ietf.org/html/draft-hammer-http-token-auth

Received on Monday, 7 December 2009 16:44:59 UTC