Mixed http2/1.1 Authentication from Dennis Olvany on 2016-03-12 (ietf-http-wg@w3.org from January to March 2016)

From: Dennis Olvany <dennisolvany@gmail.com>
Date: Sat, 12 Mar 2016 16:16:14 +0000
To: ietf-http-wg@w3.org
Message-ID: <CAATNdDw1Den+LXYBv3ZAGSWUQU4x_0aK=wumPPNYa9RrhYu+PA@mail.gmail.com>

Hello,

I am interested in understanding the interoperability of http
authentication in a mixed http2/1.1 deployment. The use case is http2
between client and load balancer (ssl offload), then http1.1 between load
balancer and server. Authentication occurs at the server, not the load
balancer. My understanding is that the authorization header is sent with
every request, but perhaps this is not the case if the client is performing
http2 header compression. It seems logical that it should be the
responsibility of the intermediary to cache and transmit the header with
each request. Does the standard stipulate the behavior of clients and
intermediaries to support authentication in a mixed design? Are there any
known limitations with such a design?

-Dennis

Received on Saturday, 12 March 2016 16:16:52 UTC