- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Wed, 20 Jun 2012 15:08:18 +1200
- To: <ietf-http-wg@w3.org>
On 20.06.2012 14:04, Mark Nottingham wrote: > Looking at this, I think this language in the spec isn't very good > for other reasons as well: > >> If the origin server does not wish to accept the credentials sent >> with a request, it should return a 401 (Unauthorized) response. The >> responsemust include a WWW-Authenticate header field containing at >> least one (possibly new) challenge applicable to the requested >> resource. >> >> If a proxy does not accept the credentials sent with a request, it >> should return a 407 (Proxy Authentication Required) response. The >> responsemust include a Proxy-Authenticate header field containing a >> (possibly new) challenge applicable to the proxy for the requested >> resource. > > > Because "accept" can be read in so many ways. I think we can fix both > problems with something like: > > """ > Requests for protected resources that omit credentials, contain > invalid credentials (e.g., a bad password), or partial credentials > (e.g., when the scheme requires more than one round trip) SHOULD > return a 401 (Unauthorized) response. Such responses MUST include a > WWW-Authenticate header field containing at least one (possibly new) > challenge applicable to the requested resource. > > Likewise, requests that require authentication by proxies that omit > credentials, or contain invalid or partial credentials SHOULD return > a > 407 (Proxy Authentication Required) response. The response MUST > include a Proxy-Authenticate header field containing a (possibly new) > challenge applicable to the proxy. > """ > > Thoughts? > second paragraph: s/The response MUST/ Such responses MUST/ is a bit clearer that its the 407 which "MUST", not any other status which may happen. There is also no mention in any of the auth draft about 403 responses being used to terminate authentication attempts or cycles regardless of credentials validity or presence. Something informational in this section would be very useful to clarify that 403 is one of the authentication-related states, for use in halting loops or making N-tries limitations. AYJ
Received on Wednesday, 20 June 2012 03:08:46 UTC