- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 22 Feb 2012 07:49:14 +0100
- To: Robert Collins <robertc@squid-cache.org>
- Cc: Barry Leiba <barryleiba@computer.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Feb 22, 2012 at 11:53:27AM +1300, Robert Collins wrote: (...) > OAuth certainly *thinks* it provides *both* Authentication *and* > Authorization, and it uses the same header that Basic and Digest do - > Authorization. I think that this simply shows a semantic mistake from the past, where authentication and authorization were a bit conflated. Look at the HTTP headers, you have the server send "www-authenticate", and the client responds with "authorization" ! At least this is a point we should clarify in the next version, because I know too many people who consider that authenticated == authorized. And this is also one reason for http-based auth not being *that* much deployed in the applications world since they have to pretend an authentication failure (401) to report a lack of authorization if/when they want to offer the client a chance to try other credentials. Regards, Willy
Received on Wednesday, 22 February 2012 06:49:51 UTC