WWW-Authenticate: AG-Token
On Tuesday, October 2, 2012 at 10:30 AM, Matthias Wessendorf wrote:
Hey,thinking out loud... what if the 401 response on the auth endpointreturns one of the following* WWW-Authenticate: Token .....* WWW-Authenticate: X-AG-Token .....* WWW-Authenticate: AG-Token ........ something like that...The request header to that 'login endpoint' could 'react' with something likeAuthorization: AG-Token token=adshjadshadsgjagsdjagdasdads===> but that above would be Base64..... (I think...)OR is the plan to continue sending user/password in plain text.Marko recently said sending them in plain text makes it more obviousthat for a login (where you send your credentials), TLS is required -with Base64 it may be less obvious.Which I agree on ....Any thoughts?-MatthiasOn Tue, Oct 2, 2012 at 3:18 PM, Matthias Wessendorf <matzew@apache.org> wrote:On Tue, Oct 2, 2012 at 3:14 PM, Kris Borchers <kris@redhat.com> wrote:Ah, I see. Hmm, yeah I guess the more I think about it, 401 on auth endpoints and 403 on "Not Authorized" endpoints makes sense instead of 401. I am indifferent on the header on 401 so if we want to add it that's fine, I'll still just be checking for the 401.My next question would be, what value would we assign to the WWW-Authenticate header for non-Basic auth?it's also used for digest and Token (like OAuth) etcWWW-Authenticate is not limited to basic-MOn Oct 2, 2012, at 8:04 AM, Matthias Wessendorf <matzew@apache.org> wrote:Hi,On Tue, Oct 2, 2012 at 2:37 PM, Kris Borchers <kris@redhat.com> wrote:To be honest, I don't remember the full discussion either but I am onlyconcerned with 401 on the login endpoint. If we did 403 withWWW-Authenticate header, I would be ok with that. I think I rememberfighting for 401 over 403 because I needed to know it was an auth error soif it's 403 and there is a WWW-Authenticate header, then I would know it'san auth error.IMO WWW-Authenticate on 403 is wrong.However, WWW-Authenticate MUST be included on 401 (according to the RFC)Regarding endpoints:* 'service endpoint' (e.g. /projects, /tasks etc)==> I think I like what amazon does, they give back 403 with NOWWW-Authenticate header, and tell you 'denied'. IMO that's correct for'service endpoints', which are protected and you don't provide the_valid_ token* login endpoint:I think that 401 fits fine here, right ?(which perhaps... should include the WWW-Authenticate on that 401)NOTE: I don't want to change the current design, as it was alreadydiscussed - but just raising some items, while doing a deeper dive on'auth', because of native iOS-MatthiasIf that is the proper way, then I will make it work on the JS side. I am allfor making the JS side "easier" but not at the expense of doing things in away people don't expect.Thoughts?On Oct 2, 2012, at 6:42 AM, Bruno Oliveira <bruno@abstractj.org> wrote:For some reason that I don't remember now, we discussed about 401 x 403 whenthe REST authentication API was sent, people decided for 401.I'm not picky on it because this is easy to change and only related to ourTODO. We discussed about authentication methods like amazon s3 in the pastWe have tons of changes to do now, my only concern at the current TODO appwas to get it done to j1.--"The measure of a man is what he does with power" - Plato-@abstractj-Volenti Nihil DifficileOn Tuesday, October 2, 2012 at 8:08 AM, Matthias Wessendorf wrote:Hi,I think they return 403 since they (like us) lack the WWW-Authenticateheader.Which is required on 401:-MOn Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew@apache.org>wrote:Hi,I noticed that with Amazon's S3 (for instance) they return 403 whenyou are not authorized. Not really sure, but forbidden (403) isperhaps fine when accessing a protected REST endpoint (versus 401) ?Thoughts?-Matthias--Matthias Wessendorfsessions: http://www.slideshare.net/mwessendorftwitter: http://twitter.com/mwessendorf--Matthias Wessendorfsessions: http://www.slideshare.net/mwessendorftwitter: http://twitter.com/mwessendorf_______________________________________________aerogear-dev mailing list_______________________________________________aerogear-dev mailing list_______________________________________________aerogear-dev mailing list--Matthias Wessendorfsessions: http://www.slideshare.net/mwessendorftwitter: http://twitter.com/mwessendorf_______________________________________________aerogear-dev mailing list_______________________________________________aerogear-dev mailing list--Matthias Wessendorfsessions: http://www.slideshare.net/mwessendorftwitter: http://twitter.com/mwessendorf--Matthias Wessendorfsessions: http://www.slideshare.net/mwessendorftwitter: http://twitter.com/mwessendorf_______________________________________________aerogear-dev mailing list