Re: Access Authorization

Tony Sanders (sanders@bsdi.com)
Tue, 14 Sep 1993 11:44:30 -0500


> The reason the authentication protocol must be conducted over the same
> connection as the data transmission is that the server cannot be
> absolutely sure from one connection to the next whether it is talking
> to the same client. That's the whole point of authentication, after
> all.
You do can do some authentication using a single request.

Here is what I think you want for more complex protocols. Note that this
is a departure from the current proposal because putting the authorization
scheme after "401" code is too limiting. Consider this a request to
change the proposal.

client:
GET /document HTTP/1.0\r\n
\r\n
server:
HTTP/1.0 401 Unauthorized
Authenticate: External-KerberosIV, realm="bsdi.com",priciple="foo"
Authenticate: PK-reverse, principle="joe's-computers"
Authenticate: basic; kerberos

Example of OUT-OF-BAND Authentication
=====================================

client:
GET /document HTTP/1.0\r\n
...
Authorization: External-KerberosIV\r\n
\r\n
[kerberos bits]
server:
[kerberos bits]
client:
[kerberos bits]
server:
HTTP/1.0 200 Document follows
...
Content-type: text/html
\r\n
<HEAD>...</HEAD><BODY>...</BODY>

Example of IN-BAND Authentication
=================================
client:
GET /document HTTP/1.0\r\n
...
Authorization: PK-reverse key="987f98e987a987b987c98"
\r\n
server:
HTTP/1.0 200 Document follows
...
Content-type: text/html
\r\n
<HEAD>...</HEAD><BODY>...</BODY>

--sanders