Re: HTTP Status Codes 401 and 403 from Philipp Junghannß on 2018-06-11 (ietf-http-wg@w3.org from April to June 2018)

From: Philipp Junghannß <teamhydro55555@gmail.com>
Date: Mon, 11 Jun 2018 23:35:17 +0200
To: msweet@apple.com
Cc: Grant Gryczan <grantgryczan@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CACHSkNoL6iNkARe_GaPhVZNMB0xqWsmUGoiLw38K77Ys+gOJsQ@mail.gmail.com>

Michael's reply is totally true as well, which is why I said "if you can
expect the user to have some other credentials". on cups I think most users
probably dont have multiple credentials so 403 absolutely makes sense.

also regarding an error page, an authentication can also show some text the
site chooses, where it could say something along the lines of "You dont
have access but you can try as a different user" or whatever.

generally speaking, in my opinion we may need a few more codes those
use-cases.

Am Mo., 11. Juni 2018 um 17:47 Uhr schrieb Michael Sweet <msweet@apple.com>:

> My (totally IPP/CUPS-centric) opinion on the valid credentials but no
> access case is below... (but otherwise I agree with Philipp's responses)
>
> > On Jun 11, 2018, at 9:12 AM, Philipp Junghannß <teamhydro55555@gmail.com>
> wrote:
> > ...
> >       • The specified credentials are completely valid but do not
> suffice the particular resource.
> > I would say, if there's a chance the user can provide sufficient
> credentials (for example multiple credentials for different access levels)
> go with 401, otherwise just use 403
>
> For CUPS we use (and IPP recommends) 403 since you *have* authenticated
> successfully and cannot proceed further.  Because browsers won't show an
> authentication dialog for a 403, it makes things very clear to the
> user/agent that the authentication succeeded but they have no access with
> those credentials.  If you keep returning 401 then the user agent will keep
> presenting UI and the user will become frustrated trying to figure out what
> the right username or password is, possibly leading to their account
> getting locked if the underlying auth mechanism has retry limits...
>
> Depending on how paranoid your implementation needs to be, your 403
> response can also include helpful text ("User XYZ does not have access
> privileges.", etc.) that the browser (may) display.  But the important
> thing is to stop unhelpful authentication dialogs that lack the context
> needed for a user (or user agent) to determine what is happening.
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
>
>

Received on Monday, 11 June 2018 21:36:54 UTC