Opened 6 years ago

Closed 6 years ago

#473 closed design (fixed)

Forwarding Proxy-*

Reported by: mnot@… Owned by: draft-ietf-httpbis-p7-auth@…
Priority: normal Milestone: 24
Component: p7-auth Severity: In WG Last Call
Keywords: Cc:

Description

p7 4.2 says:

Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and intermediaries should not forward it to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate header field.

and 4.3 says:

Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed by the first outbound proxy that was expecting to receive credentials. A proxy may relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively authenticate a given request.

However, neither says that the header needs to be listed in the Connection header; i.e. that it's hop-by-hop, as per RFC2616 13.5.1. If you recall, we removed the explicit list of hop-by-hop headers, opting to say that they needed to be listed in Connection, because doing so was causing confusion. However, we haven't actually specified that for these two headers.

Recommend language like this:

""" Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection, and thus MUST be listed in the Connection header field [ref], so that it is consumed on the next hop. Note that an intermediate proxy might need to obtain its own credentials by requesting them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate header field. """

Attachments (1)

473.diff (1.4 KB) - added by julian.reschke@… 6 years ago.
Proposed patch

Download all attachments as: .zip

Change History (11)

comment:1 Changed 6 years ago by mnot@…

  • Component changed from p7-auth to p1-messaging
  • Milestone changed from unassigned to 23
  • Owner changed from draft-ietf-httpbis-p7-auth@… to draft-ietf-httpbis-p1-messaging@…

See thread; Roy explained that it indeed is not hop-by-hop.

Editors, please note change from 2616 in p1.

comment:2 Changed 6 years ago by julian.reschke@…

  • Milestone changed from 23 to unassigned

comment:3 Changed 6 years ago by julian.reschke@…

In -21, we removed the concept of implicit hop-by-hop altogether; and this is mentioned already:

"Clarify exactly when "close" connection options have to be sent; drop notion of header fields being "hop-by-hop" without being listed in the Connection header field. (Section 6.1)" -- <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p1-messaging-21.html#rfc.section.A.2.p.9>

Do we really need to mention Proxy-* explicitly?

comment:4 Changed 6 years ago by mnot@…

  • Component changed from p1-messaging to p7-auth
  • Owner changed from draft-ietf-httpbis-p1-messaging@… to draft-ietf-httpbis-p7-auth@…

Changed 6 years ago by julian.reschke@…

Proposed patch

comment:5 Changed 6 years ago by julian.reschke@…

From [2322]:

clarify Proxy-Authenticate and connections (see #473)

comment:6 Changed 6 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed

comment:7 Changed 6 years ago by julian.reschke@…

  • Milestone changed from unassigned to 24

comment:8 Changed 6 years ago by fielding@…

From [2326]:

Fix inbound/outbound/downstream directionality confusion in Proxy-Authenticate and Proxy-Authorization; updates [2322] and addresses #473

comment:9 Changed 6 years ago by mnot@…

  • Resolution incorporated deleted
  • Status changed from closed to reopened

comment:10 Changed 6 years ago by mnot@…

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.