@techreport{williams-http-accept-auth-and-redirect-02, number = {draft-williams-http-accept-auth-and-redirect-02}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-williams-http-accept-auth-and-redirect/02/}, author = {Nicolás Williams}, title = {{Accept-Auth HTTP Header for 3xx/401 Negotiation, and Redirect Authentication Scheme}}, pagetotal = 15, year = 2020, month = apr, day = 10, abstract = {The Hyper-Text Transport Protocol (HTTP) offers several authentication schemes, but many sites use redirection-based protocols to authenticate users. Some servers are faced with a connundrum, having to choose between two mutually-exclusive options: redirect responses or 401 (authentication required) responses without knowing which the user-agent is most likely to support. This document specifies new HTTP request headers by which many applications can improve interoperability even without changing their HTTP implementations. These new headers allow user-agents to advertise authentication- and redirect-related capbilities that servers can use to better make authentication and/or redirect decisions. Also specified is a new HTTP authentication scheme named "Redirect" that enables communication between redirecting and redirected authorities via preservation of "Authorization" headers across redirections. This enables arbitrary authentication and authorization protocols to work without requiring user-agent support for them and without having to (ab)use URI query parameters.}, }