W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2020

Re: [Secdispatch] I-D on dealing with the 3xx XOR 401 problem

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 31 Mar 2020 00:50:55 -0500
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: ietf-http-wg@w3.org, secdispatch@ietf.org
Message-ID: <20200331055054.GQ18021@localhost>
On Mon, Mar 30, 2020 at 11:59:54PM -0500, Nico Williams wrote:
> On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote:
> ...
> 
> What about the Redirect scheme?  Have I missed something important?
> That will require IETF Review.  I've added security considerations text
> in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI.

One thought that occurs is that the Authorization header should only be
preserved from the last redirect: the one back to the original origin.
And a new header could be preserved in all the other hops to enable
communication between the origin and the auth services via the
user-agent.

This way there would be no way for an origin to confuse an auth service
via an Authorization header.  After all, that's for the user-agent to
authenticate to the auth service.  We shouldn't give the Authorization
header two different uses.

On the last redirect, however, we really should want to preserve the
Authorization header, as it will -presumably- be authenticating the user
to the relying party with a token issued by the last hop.

Nico
-- 
Received on Tuesday, 31 March 2020 05:51:15 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 31 March 2020 05:51:17 UTC