Re: Authorization with WWW-Authenticate (bis) from Thomas Broyer on 2009-10-24 (ietf-http-wg@w3.org from October to December 2009)

From: Thomas Broyer <t.broyer@gmail.com>
Date: Sat, 24 Oct 2009 16:33:52 +0200
To: Sylvain Hellegouarch <sh@defuze.org>
Cc: ietf-http-wg@w3.org
Message-ID: <a9699fd20910240733r1f7128a0l485a8803a7a0ef9f@mail.gmail.com>

On Sat, Oct 24, 2009 at 3:17 PM, Sylvain Hellegouarch wrote:
> Thomas Broyer a écrit :
>>
>> Help me advancing and finishing "HTTP Cookie Auth" ;-)
>> http://tools.ietf.org/html/draft-broyer-http-cookie-auth
>> http://hg.ltgt.net/http-cookie-auth/
>
> Hi Thomas,
>
> This is indeed a good starting point. I went through your proposal and I'm a
> bit unclear about the actual end-to-end workflow performed by the UA. I'm
> not sure to understand how the different directives would be applied.

Think of how HTML form and cookie-based auth is done today. Now:
 1. replace any "redirect to login form" with either a 3xx
"Unauthorized, See Other" (to be defined, in preparation for the -01
draft, would need a <meta>-refresh for backwards compat though) or,
better, a 401 with the HTML form (some form-based auth already use 200
with no-cache).
 2. serve the HTML login page with a 401 and a WWW-Authentication:
Cookie. The only required field is the realm (per RFC 2617), fields
about the cookie(s) are RECOMMENDED, and fields about the form (-01
will add two fields to make "machine driven" auth easier, without
having to parse the response body, which might not even be HTML with a
form) are OPTIONAL (because http-cookie-auth doesn't even require that
there is a "form" to be submitted; the cookie could be set by any
mean, including some JS or Flash or ... included in the 401 response).
 3. there's no Authorization request header entering into play, the
Cookie header is enough to convey credentials (which means
authenticated responses should be sent with the appropriate Vary:
Cookie and Cache-Control: private headers).

http-cookie-auth is totally backwards compatible (except unfortunately
with Opera pre-10.0, as Opera will then display an error page about
the auth scheme not being supported); and should require only very
minimal changes to any existing cookie-based auth (including SSOs).
I'm successfully using a similar, custom, auth scheme in an enterprise
app; which I plan to migrate to http-cookie-auth when it will be
"stable" enough.

And now let's continue this discussion in private (and in French ;-) )
or on ietf-http-auth@osafoundation.org ;-)

-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/

Received on Saturday, 24 October 2009 14:34:26 UTC