Ignore:
Timestamp:
29/07/13 21:55:10 (7 years ago)
Author:
fielding@…
Message:

Fix inbound/outbound/downstream directionality confusion in Proxy-Authenticate and Proxy-Authorization; updates [2322] and addresses #473

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.xml

    r2322 r2326  
    399399<t>
    400400   Unlike <x:ref>WWW-Authenticate</x:ref>, the Proxy-Authenticate header field
    401    usually applies to the current connection, and proxies generally will
    402    consume it, rather than forwarding it to downstream clients. However, an
    403    intermediate proxy might need to obtain its own credentials by requesting
    404    them from the downstream client, which in some circumstances will appear as
    405    if the proxy is forwarding the Proxy-Authenticate header field.
     401   applies only to the next outbound client on the response chain that chose
     402   to direct its request to the responding proxy. If that recipient is also a
     403   proxy, it will generally consume the Proxy-Authenticate header field (and
     404   generate an appropriate <x:ref>Proxy-Authorization</x:ref> in a subsequent
     405   request) rather than forward the header field to its own outbound clients.
     406   However, if a recipient proxy needs to obtain its own credentials by
     407   requesting them from a further outbound client, it will generate its own
     408   407 response, which might have the appearance of forwarding the
     409   Proxy-Authenticate header field if both proxies use the same challenge set.
    406410</t>
    407411<t>
     
    426430</artwork></figure>
    427431<t>
    428    Unlike <x:ref>Authorization</x:ref>, the Proxy-Authorization header field applies only to
    429    the next outbound proxy that demanded authentication using the <x:ref>Proxy-Authenticate</x:ref>
    430    field. When multiple proxies are used in a chain, the
    431    Proxy-Authorization header field is consumed by the first outbound
    432    proxy that was expecting to receive credentials. A proxy &MAY; relay
    433    the credentials from the client request to the next proxy if that is
     432   Unlike <x:ref>Authorization</x:ref>, the Proxy-Authorization header field
     433   applies only to the next inbound proxy that demanded authentication using
     434   the <x:ref>Proxy-Authenticate</x:ref> field. When multiple proxies are used
     435   in a chain, the Proxy-Authorization header field is consumed by the first
     436   inbound proxy that was expecting to receive credentials. A proxy &MAY;
     437   relay the credentials from the client request to the next proxy if that is
    434438   the mechanism by which the proxies cooperatively authenticate a given
    435439   request.
Note: See TracChangeset for help on using the changeset viewer.