- From: Grant Gryczan <grantgryczan@gmail.com>
- Date: Sun, 10 Jun 2018 18:36:11 +0000
- To: ietf-http-wg@w3.org
- Message-Id: <CAGzVuLBe8FCev6KDKWYSay6J=3oXb_sNf5zOwLkYcvvNpJpxwQ@mail.gmail.com>
Hello, I have a significant question on the HTTP specifications for 401 Unauthorized <https://tools.ietf.org/html/rfc7235#section-3.1> and 403 Forbidden <https://tools.ietf.org/html/rfc7231#section-6.5.3> on the topic of authentication and authorization. For 401, it states that the "request has not been applied because it lacks valid authentication credentials for the target resource", and that, if "the request included authentication credentials," then "authorization has been refused for those credentials." This implies to me a few things in particular: 401 can be returned if the credentials are invalid or expired, 401 can be returned if the credentials do not suffice the particular resource, and 401 can be returned if credentials are required but unspecified. For 403, it states that, if "authentication credentials were provided in the request, the server considers them insufficient to grant access", and that the "client MAY repeat the request with new or different credentials." This also implies to me a few things in particular: 403 can be returned if the credentials are invalid or expired, 403 can be returned if the credentials do not suffice the particular resource, and 403 can be returned if credentials are required but unspecified. The implications to me seem the same. Obviously 403 is different in that it can also be returned if the issue has nothing to do with authentication, but, other than that, what is the effective difference under the context of authentication? Here are a few cases I would really appreciate to also be clarified in particular as to whether 401, 403, or something else should be returned and why. (I bolded all the important words for you too!) A resource requires authentication but no credentials were specified. The specified credentials are in an invalid format. (I expect 400, but I'm just making sure.) The specified credentials specify a user which does not exist. The specified credentials are invalid but specify a valid user (or don't specify a user as a specified user is not required). The specified credentials have expired. The specified credentials are completely valid but do not suffice the particular resource. The particular resource is inaccessible regardless of credentials. (I expect 403.) The specified credentials are completely valid but the particular client is blocked from using them. Any other relevant cases you can think to clarify would also be appreciated, and you may tell me if you would like clarification from me on any of the above cases or information as well. I have researched all of this information very thoroughly, but all of the answers vary greatly and contradict the spec, themselves, and/or other answers. I hope you find the time to clarify this and will be looking forward to your response, as this problem is very important to me and to many others. Thank you for your valuable time and consideration, Grant Gryczan
Received on Monday, 11 June 2018 12:35:39 UTC