Re: [OAUTH-WG] OAuth and HTTP caching

On 22/09/2009, at 7:56 AM, John Panzer wrote:

> On the server side, one of the concerns in the past has been  
> security in shared hosting systems where e.g., basic auth data  
> should be handled by a secure container (Apache) and not passed on  
> in raw form to hosted CGI scripts.  So some of this comes back to  
> what minimum level of hosting should be targeted by the  
> specification -- and how much it should bend over backwards to deal  
> with "challenged" environments.

That's a good discussion to have.

> My $.02 is that we should follow the HTTP spec (Authorization: and  
> WWW-Authenticate:) and take a minimum distance path to route around  
> limited environments if necessary (X-Authorization: and X-WWW- 
> Authenticate:, with exactly the same content, would be my proposal).

Ugh. By allowing other resources on the same server to see  
authentication credentials, wouldn't that just re-open these attacks?


>
> --
> John Panzer / Google
> jpanzer@google.com / abstractioneer.org / @jpanzer
>
>
>
> On Mon, Sep 21, 2009 at 2:15 PM, Eran Hammer-Lahav <eran@hueniverse.com 
> > wrote:
> As currently written, OAuth use of the HTTP authentication headers  
> is optional at best.
>
> The reason for that was based on concerns that some platforms do not  
> provide access to the HTTP header in either the request or the  
> reply. However, this might have significant ramifications on caching  
> and other parts of HTTP where an indication of an authenticate  
> interaction is needed.
>
> Before the OAuth WG spends any time on discussing the various  
> methods of sending authentication parameters, I would like to find  
> out if using the authentication headers is more of a requirement for  
> such a protocol.
>
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


--
Mark Nottingham     http://www.mnot.net/

Received on Tuesday, 22 September 2009 07:57:24 UTC