W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Authentication over HTTP

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 17 Jul 2013 18:50:18 +1200
Message-ID: <51E63EAA.8050606@treenet.co.nz>
To: ietf-http-wg@w3.org
On 17/07/2013 6:33 p.m., David Morris wrote:
>
> On Wed, 17 Jul 2013, Amos Jeffries wrote:
>
>> On 17/07/2013 5:34 a.m., Nico Williams wrote:
>>> On Tue, Jul 16, 2013 at 7:54 AM, Amos Jeffries wrote:
>>>> *Every single claim* that HTTP-auth is broken and needs re-designing seems
>>>> to me to be based on the flawed assumption that HTTP-auth is not
>>>> extensible
>>>> and that the common existing schemes are the only ones HTTP permits. Or
>>>> that
>>>> somehow a user authenticating with N different and fragile mechanisms for
>>>> one transaction is a good thing (I rather disagree, the UX on that would
>>>> be
>>>> tricky and implementation nightmares).
>>> That's either a strawman or you misunderstood the arguments against
>>> doing authentication in HTTP.  It's not that "HTTP auth is broken",
>>> but that HTTP is the *wrong layer* -- that's not because HTTP or HTTP
>>> auth is broken, but because properties of the stack of protocols
>>> spoken make HTTP auth a problematic proposition.
>>>
>>> BTW, I've not see any arguments about N different mechanisms (fragile
>>> or not) being a problem.
>> Maybe I have been misunderstanding some of them. But the auth proposals I've
>> seen in the last few years all seem to fall into three brackets with regards
>> to their claims about HTTP:
>>
>> 1) "HTTP auth is broken". Aka "do it all in payload entities and have HTTP
>> endpoints interpret those" ... well so what? payload format is not HTTP. Good
>> luck but go away and do it at a different layer.
>>
>> 2) "HTTP auth is broken". Aka the headers dont let me login user X to proxy A
>> and proxy B at the same time, in the same chain, with different credentials
>> all controlled by user X ... seem to be making a few wrong assumptions about
>> how HTTP works there. Go away and do (1) instead the user-application ha sa
>> lot more control over end-to-end pathways in application layer.
>>
>> 3) "HTTP auth is broken". Aka its missing a scheme to do mechanism Z ... and
>> we do see these followed by specs to do Z in HTTP. But none of them are
>> exactly replacing the existing HTTP mechanism design, just extending it as it
>> was intended to be extended.
>>
>> What am I missing?
> How about the user experience sucks because the authentication doesn't fit
> into the style/face of the application and doesn't provide sufficient user
> context for the prompts generated by the auth mechanicanism so the
> application owners design and implement their own approach?

  HTTP provides key=value parameters on the mechanism headers for that 
kind of thing. What can't be expresed as such comes under #1, 
application layer problem. For example, how in heck is HTTP or any 
protocol going to enforce "thou shalt have no password longer than S 
characters long" when the protocol never sees the password at all? or 
similar *GUI* restrictions.

>   Oh, and no
> logout mechanism to cancel browser caching of credentials?

In the stateless HTTP "login" is done by delivering credentials or 
requesting them. But how *do* you "logout" in a stateless protocol? 
Nobody (self included) has produced anything like a good proposal spec 
for resolving that problem AFAIS.

Amos
Received on Wednesday, 17 July 2013 06:50:47 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC