Re: Proxy auth from Roy T. Fielding on 1999-11-19 (ietf-http-wg@w3.org from October to December 1999)

From: Roy T. Fielding <fielding@kiwi.ICS.UCI.EDU>
Date: Thu, 18 Nov 1999 18:48:50 -0800
To: "Josh Cohen (Exchange)" <joshco@exchange.microsoft.com>
Cc: http-wg@hplb.hpl.hp.com
Message-ID: <199911181848.aa28650@gremlin-relay.ics.uci.edu>

>If you have two chained proxy servers:
>
>client -> proxy1 -> proxy2 -> origin server
>
>If proxy 2 challenges for proxy-authentication (in its realm),
>should the challenge go back to the client if proxy1 doesnt intend
>to satisfy the challenge ?
>
>My understanding was that the intent was that this situation was
>to be covered.  By this I mean a client can auth to a proxy up the chain.
>The spec is somewhat ambiguous, it says the proxy-auth headers are 
>hop-by-hop, but then mentions that chained proxy-auth can work.

Specifically, RFC 2616 says:

   The HTTP access authentication process is described in "HTTP
   Authentication: Basic and Digest Access Authentication" [43]. Unlike
   WWW-Authenticate, the Proxy-Authenticate header field applies only to
   the current connection and SHOULD NOT be passed on to downstream
   clients. However, an intermediate proxy might need to obtain its own
   credentials by requesting them from the downstream client, which in
   some circumstances will appear as if the proxy is forwarding the
   Proxy-Authenticate header field.

   ...

   The HTTP access authentication process is described in "HTTP
   Authentication: Basic and Digest Access Authentication" [43] . Unlike
   Authorization, the Proxy-Authorization header field applies only to
   the next outbound proxy that demanded authentication using the Proxy-
   Authenticate field. When multiple proxies are used in a chain, the
   Proxy-Authorization header field is consumed by the first outbound
   proxy that was expecting to receive credentials. A proxy MAY relay
   the credentials from the client request to the next proxy if that is
   the mechanism by which the proxies cooperatively authenticate a given
   request.

I don't see anything ambiguous about that.  Proxy authentication appears
to be chained if the credentials are chained, but that is no different
than saying it is hop-by-hop.  Being hop-by-hop does not imply that
the proxy cannot clue one side of the hop based on the other side's info.

The reason it is specified this way has been discussed many times before.

....Roy

Received on Thursday, 18 November 1999 18:52:01 UTC