- From: mike amundsen <mamund@yahoo.com>
- Date: Sun, 11 Aug 2013 01:57:31 -0400
- To: Jan Algermissen <jan.algermissen@nordsc.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAPW_8m5GQJ-wcb=_8W7016HghrLu+9xEiNhHd47JZEUkV88VpA@mail.gmail.com>
why not just use the www-authenticate header to start a new session after the credentials have expired. mamund +1.859.757.1449 skype: mca.amundsen http://amundsen.com/blog/ http://twitter.com/mamund https://github.com/mamund http://www.linkedin.com/in/mikeamundsen On Sun, Aug 11, 2013 at 1:46 AM, Jan Algermissen <jan.algermissen@nordsc.com > wrote: > Hi, > > before I dive deeper into this, I am interested in immediate reactions > from this group. > > I am working on token based acess control and have the following use case > as part of an experimental protocol I am working on: > > A client is given an access token with a certain live time. The client > does not know the expiration time, but when it requests a protected > resource with an expired token the server should tell the client in the > response. This would trigger the client to refresh the access token. > > I could do this with an error_code="token-expired" parameter in a 401 but > thinking about this, I would find sth like > > 4xx Credentials Expired > > a much better fit because the status code is AFAIU more suitable when an > automatic action by the client is desired. The semantic is also not tied to > the protocol I have in mind, but rather generic. > > I'd be interested in the resonance such a proposal would provoke. If it is > not entirely negative I'd go ahead and draft such a new code. > > Jan >
Received on Sunday, 11 August 2013 05:58:19 UTC