Should the HTTP Signature Auth Scheme support WWW-Authenticate?

Question

Should the HTTP Signature Auth Scheme support WWW-Authenticate?

Opened this issue 10 years ago · 1 comments

From a review of the HTTP Signature Auth Scheme by @mnot:

You don't define a corresponding challenge. Your use cases might not require a 401 + WWW-Authenticate, but have you considered that some will want this?

From @msporny:

Yes, we did consider it. We wanted this to be a mostly "you're verified or you're not" mechanism. We didn't really want any sort of back-and-forth negotiation. That said, it's a weak argument because you probably want to be able to notify clients that they could access the resource if they provided a signature. If we decide that this is going to use the "Authorization" header (and not some new kind of header), we'll define the WWW-Authenticate bits of it.

The rest of the thread can be found here: http://lists.w3.org/Archives/Public/public-webpayments/2014Feb/0019.html

Answer 1 · 2014-02-07T17:28:44.000Z

We should also say something about whether or not the spec applies to Proxy-Authenticate. Note to self: learn about Proxy Authentication.