- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 22 Sep 2009 10:47:58 -0700
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: John Panzer <jpanzer@google.com>, "oauth@ietf.org" <oauth@ietf.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On Sep 22, 2009, at 10:24 AM, Eran Hammer-Lahav wrote: >> -----Original Message----- >> From: Roy T. Fielding [mailto:fielding@gbiv.com] >> Sent: Tuesday, September 22, 2009 10:09 AM > >> Just follow the HTTP spec. > > That what I am trying to figure out... > > Does the HTTP spec mandates that new authentication protocols use > the WWW-Authenticate and Authorization headers? HTTP is not aware of any other kinds of authentication. There is no reason to specify anything else. > Are the headers required for existing caches and servers to operate > properly? Yes (and for user agents as well). Don't forget about Proxy-Auth*. > If they are not included in authenticated requests, are there other > requirements to make sure it doesn't break existing deployment? Cache-control: private is probably needed if the Auth headers are not being used but the response depends on something like cookies for authentication. ....Roy
Received on Tuesday, 22 September 2009 17:48:37 UTC