* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #78 (closed design: fixed)

Opened 7 years ago

Last modified 3 years ago

Relationship between 401, Authorization and WWW-Authenticate

Reported by: mnot@pobox.com Owned by: julian.reschke@gmx.de
Priority: later Milestone: 16
Component: p7-auth Severity: Active WG Document
Keywords: Cc:
Origin: http://www.w3.org/mid/5A4607FB-6F74-4C7F-BF60-37E0EFEC97DF@yahoo-inc.com

Description

Are these mechanisms exclusive? I.e., can they only be used together, or can a cookie-based authentication scheme (for example) use 401?

Attachments

78.diff (3.0 KB) - added by julian.reschke@gmx.de 3 years ago.

Change History

comment:1 Changed 7 years ago by mnot@pobox.com

  • Milestone changed from 01 to d00

comment:2 Changed 7 years ago by fielding@gbiv.com

  • Component set to auth
  • Milestone d00 deleted

I don't think I understand this ticket. Is it an issue or a discussion item?

401 requires WWW-Authenticate. 401 is specifically designed to signal the use of HTTP authentication. I don't think it makes any sense to use it for cookie-based authentication, since the client is completely unaware that the cookies are being used for auth.

comment:3 Changed 7 years ago by mnot@pobox.com

  • Milestone set to unassigned

comment:4 Changed 6 years ago by mnot@pobox.com

Note that some want to put WWW-Authenticate on 200 responses; see <http://www.w3.org/mid/492EEB95.9050001@gmx.de>.

comment:5 Changed 5 years ago by t.broyer@ltgt.net

Re. the use of WWW-Authenticate in non-401/407 responses, FWIW: http://lists.w3.org/Archives/Public/public-web-security/2010Jan/0042.html

comment:6 Changed 4 years ago by mnot@pobox.com

  • Priority set to low
  • Severity set to Active WG Document

comment:7 Changed 4 years ago by julian.reschke@gmx.de

  • Owner set to julian.reschke@gmx.de

comment:8 Changed 4 years ago by julian.reschke@gmx.de

I just checked the history of this bug, following several threads, and it appears this is really a *set* of issues...

  1. Relation between status code 401 and WWW-Authenticate

401 responses MUST include a WWW-Authenticate, but the opposite is not true.

Should we state more clearly in <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p7-auth-11.html#header.www-authenticate> what this field means on a 2xx response? Any response?

  1. Relation between WWW-Authenticate and Authorization fields?

Does every authentication scheme need to specify the credentials in "Authorization"? <http://tools.ietf.org/html/draft-broyer-http-cookie-auth-00> doesn't, and this doesn't seem to be a problem in practice (as long as cacheability is properly addressed)

  1. Should we specify how to handle a 401/WWW-Authenticate that does not contain any known schemes?

It appears all browsers nowadays display the message payload, which clearly is the right thing to do if we ever want to deploy new schemes.

Given the fact that implementations do the right thing, do we need to say more?

comment:9 Changed 3 years ago by julian.reschke@gmx.de

1) Yes, state what it means to get WWW-A on non-401. ("Authenticating may affect the response you got")

2) Yes, Authorization needs to be set because of caching implications.

Changed 3 years ago by julian.reschke@gmx.de

comment:10 Changed 3 years ago by julian.reschke@gmx.de

From [1360]:

Relationship between 401, Authorization and WWW-Authenticate (see #78)

comment:11 Changed 3 years ago by julian.reschke@gmx.de

  • Status changed from new to closed
  • Resolution set to incorporated

comment:12 Changed 3 years ago by julian.reschke@gmx.de

  • Milestone changed from unassigned to 16

comment:13 Changed 3 years ago by mnot@pobox.com

  • Status changed from closed to reopened
  • Resolution incorporated deleted

comment:14 Changed 3 years ago by mnot@pobox.com

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.