Interop issue: how can clients force authentication?

Clients currently have no reliable means of forcing the server to
authenticate them (they can try to preemptively send credentials, but
this works only for basic auth, not for digest).  This can lead to
situations where the client finds out that it was required to
authenticate too late and only after doing lots of work, such as when
putting a large file only to get a 401 back at the end of the transfer.

To address this problem, it was proposed to add a Force-Authenticate
OPTIONS header which would force a compliant server to issue an
authentication challenge to the client, a la:

Force-Authenticate = "Force-Authenticate" ":" ("T" | "F")

The Force-Authenticate header would be used with the OPTIONS method to
specify that the client wants to be
challenged for authentication credentials to the resource identified by
the Request-URI.  A value of "T"
indicates that a compliant DAV server MUST respond with a 401
Unauthorized status code (see
[RFC2068], section 10.4.2) if the resource identified by the Request-URI
is protected, i.e., there exists a  DAV method (read,  write, or
otherwise) that may result in a 401 response for this Request-URI.  Put
another way, if the server does *not* respond with a 401, it is
guaranteeing to the client that any DAV operation it may want to apply
to the Request-URI will not return a 401.

This means that the client has a way of finding out beforehand whether
it needs credentials to perform an operation, and the server has the
option of saying "no credentials necessary" if it is sure that in fact
no credentials are necessary (for example, servers that have no access
control at all, if any such exist).  I thought it was important to keep
this option open, although I suspect that most servers would always want
to challenge since they couldn't really be sure.

Comments?

-ilya

Received on Monday, 16 September 2002 19:34:00 UTC