On Fri, May 10, 2019 at 07:14:52PM -0400, Keith Moore wrote: > On 5/10/19 6:47 PM, Nico Williams wrote: > > This is also why 3xx redirect-based authentication methods are winning > > over as-originally-intended 401 / WWW-Authenticate / Authorization > > methods. It's easier to implement redirect chasing than to implement a > > pluggable authentication method framework. (Also, it's easier on server > > devs to use redirects.) I just wish 3xx and 401 weren't mutually > > exclusive. I posted to art@xxxxxxxx a few weeks ago about that got no > > replies, sadly. > > It has long seemed to me that the early available 401-based methods (by > which I mean the ones available in browsers from mid to late 1990s) failed > largely because of their inflexibility and relatively poor user experience > provided by the browsers, and especially because avoiding 401 altogether and > using redirects and cookies instead allowed each site to customize the login > user experience. Then the latter became widely held mindshare that > redirects and cookies are how you do authentication. [...] There are lots of problems with HTTP authentication driving the move to 3xx redirects, no doubt. The problem I have is that a server that can do both, 3xx- and 401-based authentication has to pick one without knowing which (if any) the user-agent can also do. "Only do 3xx" is not a good answer: it has driven "API keys" into existence because non-browser, non-interactive apps can't do what browsers with a human user in front of them can, and API keys are not a step up, especially not if you have a Kerberos infrastructure that works like a well-oiled machine. Kerberos has a lot of problems, and is not an Internet-scale protocol, but as it happens GSS-API w/ Kerberos is quite well supported outside HTTP apps (and even there), so 3xx ends up driving a step-down into API keys, and in some cases too a need to have multiple names for the same service. I do not object to 3xx-based authentication. I just want a better way to support everything that works. Nico --
