- From: Nico Williams <nico@cryptonector.com>
- Date: Tue, 31 Mar 2020 00:50:55 -0500
- To: Benjamin Kaduk <kaduk@mit.edu>
- Cc: ietf-http-wg@w3.org, secdispatch@ietf.org
On Mon, Mar 30, 2020 at 11:59:54PM -0500, Nico Williams wrote: > On Mon, Mar 30, 2020 at 07:06:29PM -0700, Benjamin Kaduk wrote: > ... > > What about the Redirect scheme? Have I missed something important? > That will require IETF Review. I've added security considerations text > in my GH repo for this, nicowilliams/accept-auth-and-redirect, FYI. One thought that occurs is that the Authorization header should only be preserved from the last redirect: the one back to the original origin. And a new header could be preserved in all the other hops to enable communication between the origin and the auth services via the user-agent. This way there would be no way for an origin to confuse an auth service via an Authorization header. After all, that's for the user-agent to authenticate to the auth service. We shouldn't give the Authorization header two different uses. On the last redirect, however, we really should want to preserve the Authorization header, as it will -presumably- be authenticating the user to the relying party with a token issued by the last hop. Nico --
Received on Tuesday, 31 March 2020 05:51:15 UTC