passing on Proxy Authentication

Is there any reason why proxy-authorization can't be passed onto
selected *Web* servers? It occured to me that this would be a nice way
to have a 'single login' in an Intranet situation; e.g., users use an
internal proxy, which they must authenticate for (for accounting/audit
purposes). Instead of re-typing a (possibly different) user/pass
combination to access protected internal resources, it would be nifty to
reuse the Proxy-Authorization: information.

Of course, this would have to be configured in the proxy, so the
credentials aren't forwarded to just any server. Something that would
allow specification of a single host, IP range or domain (but that's an
implementation issue).


14.34 Proxy-Authorization
The Proxy-Authorization request-header field allows the client to
identify itself (or its user) to a proxy
which requires authentication. The Proxy-Authorization field value
consists of credentials containing the
authentication information of the user agent for the proxy and/or realm
of the resource being requested.

Proxy-Authorization = "Proxy-Authorization" ":" credentials

The HTTP access authentication process is described in "HTTP
Authentication: Basic and Digest Access
Authentication" . Unlike Authorization, the Proxy-Authorization header
field applies only to the next
outbound proxy that demanded authentication using the Proxy-Authenticate
field. When multiple proxies
are used in a chain, the Proxy-Authorization header field is consumed by
the first outbound proxy that was
expecting to receive credentials. A proxy MAY relay the credentials from
the client request to the next proxy if that
is the mechanism by which the proxies cooperatively authenticate a given
request.

[apologies if the formatting on this is weird; I'm an unwilling user of
Exchange]


Mark Nottingham
Internet Project Manager
Merrill Lynch - Melbourne, Australia

Received on Thursday, 10 September 1998 20:45:46 UTC