[foaf-protocols] HTTP response code for bad auth, webid
Bruno Harbulot
Bruno.Harbulot at manchester.ac.uk
Tue Jan 19 14:58:28 CET 2010
Hi Peter,
Peter Williams wrote:
> When the webid does not meet the identity (vs authorization)
> requirements of the resource, what HTTP response code are folks returning?]
I've just sent this suggestion to the HTTP WG mailing list:
http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0047.html
(This consists of having a type of challenge for WWW-Authenticate for
certificates.)
> Conventionally, cert invalidity errors are transport failures, rather
> than HTTP failures. But, does such a notion exist in linked data theory?
>
> We cannot realistically send back a 401, as that would be induce an
> inappropriate HTTP-level challenge. I’m sending back a 400 for now.
I would say a 401 would be appropriate for the insufficient
authentication and 403 for insufficient authorisation, but as you've
noticed, the 401 requires a WWW-Authenticate header that doesn't
currently exist unfortunately.
I haven't tried to see how browsers would behave if the server sent
"WWW-Authenticate: transport"; I suspect some might not like it. If
browsers don't choke on this, I'd say it's better than 400, but
otherwise, 400 seems like the best of available choices indeed (I won't
suggest creating a custom 4xx status code).
In terms of linked data (and that's something I haven't mentioned on the
HTTP WG list), the advantage of a challenge header is that we can add
parameters, one of which could be a URI of something that describes what
the server would prefer, for example.
This could vaguely look like this:
WWW-Authenticate: transport mode="tls-client-certificate,
foaf-ssl-affiliation="http://foaf.example/#me"
Best wishes,
Bruno.
More information about the foaf-protocols
mailing list