Re: #78: Relationship between 401, Authorization and WWW-Authenticate from Julian Reschke on 2011-07-26 (ietf-http-wg@w3.org from July to September 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 26 Jul 2011 22:05:00 +0200
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4E2F1DEC.9030809@gmx.de>

On 2011-07-24 20:06, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>
> Proposal:
>
> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
>
> and,
>
> 2) Clarify that an Authentication scheme that uses WWW-Authenticate and/or 401 MUST use the Authorization header in the request, because of its implications for caching. Schemes MAY specify additional headers to be used alongside it.
>
> --
> Mark Nottingham   http://www.mnot.net/

OK, proposed patch: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/78/78.diff>

This adds the following point to the Considerations for new schemes:

    o  The credentials carried in an Authorization header field are
       specific to the User Agent, and therefore have the same effect on
       HTTP caches as the "private" Cache-Control response directive,
       within the scope of the request they appear in.

       Therefore, new authentication schemes which choose not to carry
       credentials in the Authorization header (e.g., using a newly
       defined header) will need to explicitly disallow caching, by
       mandating the use of either Cache-Control request directives
       (e.g., "no-store") or response directives (e.g., "private").


An updates the description of WWW-A to:

4.4.  WWW-Authenticate

    The "WWW-Authenticate" header field consists of at least one
    challenge that indicates the authentication scheme(s) and parameters
    applicable to the effective request URI (Section 4.3 of [Part1]).

    It MUST be included in 401 (Unauthorized) response messages and MAY
    be included in other response messages to indicate that supplying
    credentials (or different credentials) might affect the response.

      WWW-Authenticate = 1#challenge

    User agents are advised to take special care in parsing the WWW-
    Authenticate field value as it might contain more than one challenge,
    or if more than one WWW-Authenticate header field is provided, the
    contents of a challenge itself can contain a comma-separated list of
    authentication parameters.

Best regards, Julian

Received on Tuesday, 26 July 2011 20:05:32 UTC