It's a Java app using Apache HttpClient 3 with some Swing-based UI for HTTP auth. This is a testing tool and I don't really care about it. The point I am trying to make is that the use of HTTP Auth in OAuth may trigger unexpected logic in consumer applications.
In my opinion, HTTP auth mechanism would be a good choice if one of the following conditions is met, 1. The protocol is intended for end-user and a browser extension/ plugin is expected. 2. The parameters are standard so it's easier to write a HTTP auth handler. We used to have an one-legged protocol (getting access token with username/password) which sends username/password using Basic- Auth. 3. Interactivity or negotiation in the protocol. For example, IE/ Firefox supports Kerberos using SPNEGO scheme. In which, 401 means continuation of negotiation or more credential. 403 indicates a failure and end of exchange. As you can see, OAuth doesn't fit any of these use-cases. Using of 401 just causes unwanted confusion and overhead. I really like the way OAuth uses Authorization header so you can hide OAuth clutter away from app data. However, the header is not used in the context of HTTP auth. In OAuth, the Authorization header is always unsolicited and not a response to 401+WWW-Authenticate. So I think 403 is more appropriate. For our internal APIs, we only use 2 status codes like OAuth, 400: Protocol error. It normally means a bug in the application and it's intended for developers. 403: All other errors. Now we use OAuth Java library, it returns whole bunch of 401s. It's kind of messy but we can deal with it. Zhihong On Mar 12, 8:41 pm, Eran Hammer-Lahav <[email protected]> wrote: > What HTTP client do you use? > > EHL > > On 3/12/09 4:30 PM, "Zhihong" <[email protected]> wrote: > > I added WWW-Authenticate but now it complains unknown scheme. I > disabled the HTTP auth and the warnings went away. > > I am new to OAuth and don't know the reason behind using 401. I just > don't see the benefits of overloading HTTP authentication mechanism. > > Thanks! > > Zhihong > > On Mar 12, 7:27 pm, Eran Hammer-Lahav <[email protected]> wrote: > > > No. > > > Return 401 with the WWW-Authenticate header. > > > WWW-Authenticate: OAuth realm="your.server.example.com" > > > EHL > > > On 3/12/09 1:40 PM, "Zhihong" <[email protected]> wrote: > > > OAuth spec uses HTTP 401 (Unauthorized) as error code. We just > > discovered that our HTTP client logs a warning (missing WWW- > > Authenticate header) when receiving this status code because it > > expects HTTP authentication when receiving this code. > > > Considering the special meaning of 401 in HTTP authentication, would > > it be better to use 403 (Forbidden) instead? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
