Re: #78: Relationship between 401, Authorization and WWW-Authenticate from Adrien de Croy on 2011-07-26 (ietf-http-wg@w3.org from July to September 2011)

From: Adrien de Croy <adrien@qbik.com>
Date: Wed, 27 Jul 2011 08:11:02 +1200
To: Julian Reschke <julian.reschke@gmx.de>
CC: Yutaka OIWA <y.oiwa@aist.go.jp>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4E2F1F56.1080804@qbik.com>

apologies, but I'm still not convinced overloading a new function onto 
WWW-Authenticate is the best way to advertise the availability of 
optional authentication.

It creates an immediate dilemma for any UA that receives such a message.

What are the options for the UA, and how will they affect user experience?

If the UA always elects to proceed to auth, then it's the same as 
sending back a 401
if the UA tries to give the choice to the user, that's (IMO) asking for pain
otherwise the UA can ignore it, and it's just more bloat.

Also I just see it breaking a whole heap of agents who switch behaviour 
on the presence of that header (rather than the status).

Finally, we see UAs starting auth without this header in the first 
place.  So does this really need advertising anyway?

If this is to be new behaviour, shouldn't we use a new header or status? 
That way we can keep it out of the way.

On 27/07/2011 7:55 a.m., Julian Reschke wrote:
> On 2011-07-26 15:47, Yutaka OIWA wrote:
>> On 2011/07/26 22:28, Yutaka OIWA wrote:
>>
>>> And if this change text intends to introduce any opportunity
>>> for optional authentication to HTTP at this time,
>>> I think we need more detailed restrictions to make it really work.
>>> If the intention is just to clarify header meanings and
>>> leave the rest for future work, it is OK for me.
>>
>> just FYI, the following is the list of required additional rules
>> to make optional auth work.
>>
>> (1) The response for successful authentication MUST NOT contain
>>      any WWW-Authenticate: header.
>
> Not sure about that.
>
> If we allow WWW-A on a non-authenticated 200 response, why not also on 
> an authenticated one?
>
>> (2) The response for failed authentication is RECOMMENDED to be
>>      401 status, even if a request for the same URL and method without
>>      Authorization: header will result in 200 status with 
>> WWW-Authenticate:
>>      header.
>
> I agree with this one, but, as Mark said, let's leave that to future 
> work.
>
> > ...
>
> Best regards, Julian
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Tuesday, 26 July 2011 20:11:29 UTC