Changeset 2326


Ignore:
Timestamp:
Jul 29, 2013, 2:55:10 PM (6 years ago)
Author:
fielding@…
Message:

Fix inbound/outbound/downstream directionality confusion in Proxy-Authenticate and Proxy-Authorization; updates [2322] and addresses #473

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r2322 r2326  
    744744      </p>
    745745      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
    746 </pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field usually applies to the current connection, and proxies generally will consume it, rather
    747          than forwarding it to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting
    748          them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate
    749          header field.
     746</pre><p id="rfc.section.4.2.p.3">Unlike <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>, the Proxy-Authenticate header field applies only to the next outbound client on the response chain that chose to direct
     747         its request to the responding proxy. If that recipient is also a proxy, it will generally consume the Proxy-Authenticate header
     748         field (and generate an appropriate <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> in a subsequent request) rather than forward the header field to its own outbound clients. However, if a recipient proxy needs
     749         to obtain its own credentials by requesting them from a further outbound client, it will generate its own 407 response, which
     750         might have the appearance of forwarding the Proxy-Authenticate header field if both proxies use the same challenge set.
    750751      </p>
    751752      <p id="rfc.section.4.2.p.4">Note that the parsing considerations for <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> apply to this header field as well; see <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section&nbsp;4.4</a> for details.
     
    758759      </p>
    759760      <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a>
    760 </pre><p id="rfc.section.4.3.p.3">Unlike <a href="#header.authorization" class="smpl">Authorization</a>, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication using the <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed by the first outbound proxy
     761</pre><p id="rfc.section.4.3.p.3">Unlike <a href="#header.authorization" class="smpl">Authorization</a>, the Proxy-Authorization header field applies only to the next inbound proxy that demanded authentication using the <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed by the first inbound proxy
    761762         that was expecting to receive credentials. A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively
    762763         authenticate a given request.
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2322 r2326  
    399399<t>
    400400   Unlike <x:ref>WWW-Authenticate</x:ref>, the Proxy-Authenticate header field
    401    usually applies to the current connection, and proxies generally will
    402    consume it, rather than forwarding it to downstream clients. However, an
    403    intermediate proxy might need to obtain its own credentials by requesting
    404    them from the downstream client, which in some circumstances will appear as
    405    if the proxy is forwarding the Proxy-Authenticate header field.
     401   applies only to the next outbound client on the response chain that chose
     402   to direct its request to the responding proxy. If that recipient is also a
     403   proxy, it will generally consume the Proxy-Authenticate header field (and
     404   generate an appropriate <x:ref>Proxy-Authorization</x:ref> in a subsequent
     405   request) rather than forward the header field to its own outbound clients.
     406   However, if a recipient proxy needs to obtain its own credentials by
     407   requesting them from a further outbound client, it will generate its own
     408   407 response, which might have the appearance of forwarding the
     409   Proxy-Authenticate header field if both proxies use the same challenge set.
    406410</t>
    407411<t>
     
    426430</artwork></figure>
    427431<t>
    428    Unlike <x:ref>Authorization</x:ref>, the Proxy-Authorization header field applies only to
    429    the next outbound proxy that demanded authentication using the <x:ref>Proxy-Authenticate</x:ref>
    430    field. When multiple proxies are used in a chain, the
    431    Proxy-Authorization header field is consumed by the first outbound
    432    proxy that was expecting to receive credentials. A proxy &MAY; relay
    433    the credentials from the client request to the next proxy if that is
     432   Unlike <x:ref>Authorization</x:ref>, the Proxy-Authorization header field
     433   applies only to the next inbound proxy that demanded authentication using
     434   the <x:ref>Proxy-Authenticate</x:ref> field. When multiple proxies are used
     435   in a chain, the Proxy-Authorization header field is consumed by the first
     436   inbound proxy that was expecting to receive credentials. A proxy &MAY;
     437   relay the credentials from the client request to the next proxy if that is
    434438   the mechanism by which the proxies cooperatively authenticate a given
    435439   request.
Note: See TracChangeset for help on using the changeset viewer.