Accept-Auth HTTP Header for 3xx/401 Negotiation, and Redirect Authentication Scheme
draft-williams-http-accept-auth-and-redirect-02
| Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
|---|---|---|---|
| Author | Nicolás Williams | ||
| Last updated | 2020-10-12 (Latest revision 2020-04-10) | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
The Hyper-Text Transport Protocol (HTTP) offers several authentication schemes, but many sites use redirection-based protocols to authenticate users. Some servers are faced with a connundrum, having to choose between two mutually-exclusive options: redirect responses or 401 (authentication required) responses without knowing which the user-agent is most likely to support. This document specifies new HTTP request headers by which many applications can improve interoperability even without changing their HTTP implementations. These new headers allow user-agents to advertise authentication- and redirect-related capbilities that servers can use to better make authentication and/or redirect decisions. Also specified is a new HTTP authentication scheme named "Redirect" that enables communication between redirecting and redirected authorities via preservation of "Authorization" headers across redirections. This enables arbitrary authentication and authorization protocols to work without requiring user-agent support for them and without having to (ab)use URI query parameters.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)