- From: Michael Sweet <msweet@apple.com>
- Date: Mon, 11 Jun 2018 11:38:32 -0400
- To: grantgryczan@gmail.com
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
My (totally IPP/CUPS-centric) opinion on the valid credentials but no access case is below... (but otherwise I agree with Philipp's responses) > On Jun 11, 2018, at 9:12 AM, Philipp Junghannß <teamhydro55555@gmail.com> wrote: > ... > • The specified credentials are completely valid but do not suffice the particular resource. > I would say, if there's a chance the user can provide sufficient credentials (for example multiple credentials for different access levels) go with 401, otherwise just use 403 For CUPS we use (and IPP recommends) 403 since you *have* authenticated successfully and cannot proceed further. Because browsers won't show an authentication dialog for a 403, it makes things very clear to the user/agent that the authentication succeeded but they have no access with those credentials. If you keep returning 401 then the user agent will keep presenting UI and the user will become frustrated trying to figure out what the right username or password is, possibly leading to their account getting locked if the underlying auth mechanism has retry limits... Depending on how paranoid your implementation needs to be, your 403 response can also include helpful text ("User XYZ does not have access privileges.", etc.) that the browser (may) display. But the important thing is to stop unhelpful authentication dialogs that lack the context needed for a user (or user agent) to determine what is happening. _________________________________________________________ Michael Sweet, Senior Printing System Engineer
Received on Monday, 11 June 2018 15:39:03 UTC