tags:

views:

552

answers:

3
+1  Q: 

What should I pass for the WWW-Authenticate header on 401s if I'm only using OpenID?

The HTTP spec states:

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource.

If the only login scheme I support is OpenID (or CAS, or OAuth tokens, &c.), what should I put in this field? That is, how do I indicate that the client needs to pre-authenticate and create a session rather than try to send credentials along with each request?

Before you answer, "don't send a 401; send a 3xx redirecting to the OpenID login page," what about for non-HTML clients? How, for example, would Stack Overflow do an API that my custom software could interact with?

+1  A: 

403 Forbidden could be an alternative response for "Access denied" errors.

grawity  2009-06-02 15:58:24
That's more for if you've already authenticated but have insufficient permissions. I suppose the "insufficient" permissions bit applies here, but it gives no information about how one might elevate them, which a 401 does, and which seems applicable.
James A. Rosen  2009-06-02 21:17:26
Looking at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html 403 does seem most appropriate.
Chris Boyle  2009-07-06 17:08:10
+2  A: 

There is an OAuth Discovery spec that would indicate what to put into the WWW-Authenticate header -- if the spec were not obsolete without a replacement spec yet.

Andrew Arnott  2009-06-02 16:39:15
+2  A: 

According to RFC2617 the auth-scheme can be anything; if you really want a 401 you're not technically breaking spec by making something up like WWW-Authenticate: OpenID realm="My Realm" location="http://my/login/location". Having said that, behaviour of other people's code when you do that is of course undefined. :-)

Chris Boyle  2009-07-06 17:11:33

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.