-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New header field vs existing Authorization header #2432
Comments
Is this rather about using the Authorization header? |
🤦 Yep! |
@chris-wood can you elaborate on "as we note in the HTTP authentication scheme for Privacy Pass"? I skimmed through that draft and it seems to clearly require a TokenChallenge before sending a Token. |
I thought we had text that described it, but I can't find it. In any case, I think one can send the Authorization header unsolicited, so I think this draft ought to do that instead of rolling a new auth header. |
Fair enough, let's discuss this at 116. |
FWIW, I agree that unprompted "Authorization" is permissible in this context, but I think "Unprompted-Authorization" could be useful for clarity when reading logs, etc. |
Discussed at IETF 116, sense of the room appeared to be that switching to Authorization made sense. |
OK wrote up #2571 to address this |
Is there a technical reason why the
WWW-Authenticate
header was not chosen for this draft? That can be sent without a corresponding challenge (in an unprompted way), as we note in the HTTP authentication scheme for Privacy Pass. It seems like that would work in this context, too.The text was updated successfully, but these errors were encountered: