<div>
Sure thing, we can make it happen.
</div><div><br></div><div>We can't encode it in base64 or just reply with SHA-256, we just need to discuss and see how it affects the bandwidth or the implementations on aerogear.auth.js.</div><div><br></div><div>I'm +1 on</div><div><br></div><div>- Request:</div><div><br></div><div><blockquote type="cite">WWW-Authenticate: AG-Token</blockquote><div><br></div><div>- Response:</div><div><br></div><div>Authorization: AG-Token=adshjadshadsgjagsdjagdasdads </div></div>
<div><div><br></div><div><br></div><div><div>-- </div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div></div></div>
<p style="color: #A0A0A8;">On Tuesday, October 2, 2012 at 10:30 AM, Matthias Wessendorf wrote:</p>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;">
<span><div><div><div>Hey,</div><div><br></div><div>thinking out loud... what if the 401 response on the auth endpoint</div><div>returns one of the following</div><div> * WWW-Authenticate: Token .....</div><div> * WWW-Authenticate: X-AG-Token .....</div><div> * WWW-Authenticate: AG-Token .....</div><div><br></div><div>... something like that...</div><div><br></div><div>The request header to that 'login endpoint' could 'react' with something like</div><div><br></div><div>Authorization: AG-Token token=adshjadshadsgjagsdjagdasdads</div><div><br></div><div>===> but that above would be Base64..... (I think...)</div><div>OR is the plan to continue sending user/password in plain text.</div><div><br></div><div>Marko recently said sending them in plain text makes it more obvious</div><div>that for a login (where you send your credentials), TLS is required -</div><div>with Base64 it may be less obvious.</div><div><br></div><div>Which I agree on ....</div><div><br></div><div><br></div><div>Any thoughts?</div><div><br></div><div>-Matthias</div><div><br></div><div><br></div><div>On Tue, Oct 2, 2012 at 3:18 PM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:</div><blockquote type="cite"><div><div>On Tue, Oct 2, 2012 at 3:14 PM, Kris Borchers <<a href="mailto:kris@redhat.com">kris@redhat.com</a>> wrote:</div><blockquote type="cite"><div><div>Ah, I see. Hmm, yeah I guess the more I think about it, 401 on auth endpoints and 403 on "Not Authorized" endpoints makes sense instead of 401. I am indifferent on the header on 401 so if we want to add it that's fine, I'll still just be checking for the 401.</div><div><br></div><div>My next question would be, what value would we assign to the WWW-Authenticate header for non-Basic auth?</div></div></blockquote><div><br></div><div>it's also used for digest and Token (like OAuth) etc</div><div><br></div><div><br></div><div>WWW-Authenticate is not limited to basic</div><div><br></div><div><br></div><div>-M</div><div><br></div><blockquote type="cite"><div><div><br></div><div>On Oct 2, 2012, at 8:04 AM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>> wrote:</div><div><br></div><blockquote type="cite"><div><div>Hi,</div><div><br></div><div>On Tue, Oct 2, 2012 at 2:37 PM, Kris Borchers <<a href="mailto:kris@redhat.com">kris@redhat.com</a>> wrote:</div><blockquote type="cite"><div><div>To be honest, I don't remember the full discussion either but I am only</div><div>concerned with 401 on the login endpoint. If we did 403 with</div><div>WWW-Authenticate header, I would be ok with that. I think I remember</div><div>fighting for 401 over 403 because I needed to know it was an auth error so</div><div>if it's 403 and there is a WWW-Authenticate header, then I would know it's</div><div>an auth error.</div></div></blockquote><div><br></div><div>IMO WWW-Authenticate on 403 is wrong.</div><div><br></div><div>However, WWW-Authenticate MUST be included on 401 (according to the RFC)</div><div><br></div><div>Regarding endpoints:</div><div><br></div><div>* 'service endpoint' (e.g. /projects, /tasks etc)</div><div>==> I think I like what amazon does, they give back 403 with NO</div><div>WWW-Authenticate header, and tell you 'denied'. IMO that's correct for</div><div>'service endpoints', which are protected and you don't provide the</div><div>_valid_ token</div><div><br></div><div>* login endpoint:</div><div>I think that 401 fits fine here, right ?</div><div>(which perhaps... should include the WWW-Authenticate on that 401)</div><div><br></div><div><br></div><div>NOTE: I don't want to change the current design, as it was already</div><div>discussed - but just raising some items, while doing a deeper dive on</div><div>'auth', because of native iOS</div><div><br></div><div>-Matthias</div><div><br></div><blockquote type="cite"><div><div><br></div><div>If that is the proper way, then I will make it work on the JS side. I am all</div><div>for making the JS side "easier" but not at the expense of doing things in a</div><div>way people don't expect.</div></div></blockquote><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><blockquote type="cite"><div><div><br></div><div>Thoughts?</div><div><br></div><div>On Oct 2, 2012, at 6:42 AM, Bruno Oliveira <<a href="mailto:bruno@abstractj.org">bruno@abstractj.org</a>> wrote:</div><div><br></div><div>For some reason that I don't remember now, we discussed about 401 x 403 when</div><div>the REST authentication API was sent, people decided for 401.</div><div><br></div><div>I'm not picky on it because this is easy to change and only related to our</div><div>TODO. We discussed about authentication methods like amazon s3 in the past</div><div><a href="https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md">https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md</a></div><div><br></div><div>We have tons of changes to do now, my only concern at the current TODO app</div><div>was to get it done to j1.</div><div><br></div><div><br></div><div>--</div><div>"The measure of a man is what he does with power" - Plato</div><div>-</div><div>@abstractj</div><div>-</div><div>Volenti Nihil Difficile</div><div><br></div><div>On Tuesday, October 2, 2012 at 8:08 AM, Matthias Wessendorf wrote:</div><div><br></div><div>Hi,</div><div><br></div><div>I think they return 403 since they (like us) lack the WWW-Authenticate</div><div>header.</div><div><br></div><div>Which is required on 401:</div><div><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47">http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47</a></div><div><br></div><div>-M</div><div><br></div><div>On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <<a href="mailto:matzew@apache.org">matzew@apache.org</a>></div><div>wrote:</div><div><br></div><div>Hi,</div><div><br></div><div>I noticed that with Amazon's S3 (for instance) they return 403 when</div><div>you are not authorized. Not really sure, but forbidden (403) is</div><div>perhaps fine when accessing a protected REST endpoint (versus 401) ?</div><div><br></div><div>Thoughts?</div><div><br></div><div>-Matthias</div><div><br></div><div>--</div><div>Matthias Wessendorf</div><div><br></div><div>blog: <a href="http://matthiaswessendorf.wordpress.com">http://matthiaswessendorf.wordpress.com</a>/</div><div>sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a></div><div>twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a></div><div><br></div><div><br></div><div><br></div><div><br></div><div>--</div><div>Matthias Wessendorf</div><div><br></div><div>blog: <a href="http://matthiaswessendorf.wordpress.com">http://matthiaswessendorf.wordpress.com</a>/</div><div>sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a></div><div>twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div><div><br></div><div><br></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div><div><br></div><div><br></div><div><br></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></div></blockquote><div><br></div><div><br></div><div><br></div><div>--</div><div>Matthias Wessendorf</div><div><br></div><div>blog: <a href="http://matthiaswessendorf.wordpress.com">http://matthiaswessendorf.wordpress.com</a>/</div><div>sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a></div><div>twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></div></blockquote><div><br></div><div><br></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></div></blockquote><div><br></div><div><br></div><div><br></div><div>--</div><div>Matthias Wessendorf</div><div><br></div><div>blog: <a href="http://matthiaswessendorf.wordpress.com">http://matthiaswessendorf.wordpress.com</a>/</div><div>sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a></div><div>twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a></div></div></blockquote><div><br></div><div><br></div><div><br></div><div>-- </div><div>Matthias Wessendorf</div><div><br></div><div>blog: <a href="http://matthiaswessendorf.wordpress.com">http://matthiaswessendorf.wordpress.com</a>/</div><div>sessions: <a href="http://www.slideshare.net/mwessendorf">http://www.slideshare.net/mwessendorf</a></div><div>twitter: <a href="http://twitter.com/mwessendorf">http://twitter.com/mwessendorf</a></div><div><br></div><div>_______________________________________________</div><div>aerogear-dev mailing list</div><div><a href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a></div><div><a href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></div></div></div></span>
</blockquote>
<div>
<br>
</div>