Opened 12 years ago

Closed 8 years ago

#78 closed design (fixed)

Relationship between 401, Authorization and WWW-Authenticate

Reported by: mnot@… Owned by: julian.reschke@…
Priority: later Milestone: 16
Component: p7-auth Severity: Active WG Document
Keywords: Cc:

Description

Are these mechanisms exclusive? I.e., can they only be used together, or can a cookie-based authentication scheme (for example) use 401?

Attachments (1)

78.diff (3.0 KB) - added by julian.reschke@… 8 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 12 years ago by mnot@…

  • Milestone changed from 01 to d00

comment:2 Changed 12 years ago by fielding@…

  • Component set to auth
  • Milestone d00 deleted

I don't think I understand this ticket. Is it an issue or a discussion item?

401 requires WWW-Authenticate. 401 is specifically designed to signal the use of HTTP authentication. I don't think it makes any sense to use it for cookie-based authentication, since the client is completely unaware that the cookies are being used for auth.

comment:3 Changed 12 years ago by mnot@…

  • Milestone set to unassigned

comment:4 Changed 10 years ago by mnot@…

Note that some want to put WWW-Authenticate on 200 responses; see <http://www.w3.org/mid/492EEB95.9050001@gmx.de>.

comment:5 Changed 10 years ago by t.broyer@…

Re. the use of WWW-Authenticate in non-401/407 responses, FWIW: http://lists.w3.org/Archives/Public/public-web-security/2010Jan/0042.html

comment:6 Changed 9 years ago by mnot@…

  • Priority set to low
  • Severity set to Active WG Document

comment:7 Changed 9 years ago by julian.reschke@…

  • Owner set to julian.reschke@…

comment:8 Changed 9 years ago by julian.reschke@…

I just checked the history of this bug, following several threads, and it appears this is really a *set* of issues...

  1. Relation between status code 401 and WWW-Authenticate

401 responses MUST include a WWW-Authenticate, but the opposite is not true.

Should we state more clearly in <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-11.html#header.www-authenticate> what this field means on a 2xx response? Any response?

  1. Relation between WWW-Authenticate and Authorization fields?

Does every authentication scheme need to specify the credentials in "Authorization"? <http://tools.ietf.org/html/draft-broyer-http-cookie-auth-00> doesn't, and this doesn't seem to be a problem in practice (as long as cacheability is properly addressed)

  1. Should we specify how to handle a 401/WWW-Authenticate that does not contain any known schemes?

It appears all browsers nowadays display the message payload, which clearly is the right thing to do if we ever want to deploy new schemes.

Given the fact that implementations do the right thing, do we need to say more?

comment:9 Changed 8 years ago by julian.reschke@…

1) Yes, state what it means to get WWW-A on non-401. ("Authenticating may affect the response you got")

2) Yes, Authorization needs to be set because of caching implications.

Changed 8 years ago by julian.reschke@…

comment:10 Changed 8 years ago by julian.reschke@…

From [1360]:

Relationship between 401, Authorization and WWW-Authenticate (see #78)

comment:11 Changed 8 years ago by julian.reschke@…

  • Resolution set to incorporated
  • Status changed from new to closed

comment:12 Changed 8 years ago by julian.reschke@…

  • Milestone changed from unassigned to 16

comment:13 Changed 8 years ago by mnot@…

  • Resolution incorporated deleted
  • Status changed from closed to reopened

comment:14 Changed 8 years ago by mnot@…

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.