openid
Security section needs details on Client Authentication failure
While AuthZEN is not guiding nor enforcing towards a specific Authentication mechanism for the the PEP towards the PDP, the specification should be more prescriptive on the format of the response expected to be sent by PDP in this case.
I recommend using RFC2617] and using a HTTP Error code of 401 unauthorized with a "WWW-Authenticate" header and an error code expressing the type auth-scheme scheme expected and the realm to talk to.
The text will be in form of:
---- Start ----
If the protected resource request does not include authentication credentials, does not contain an the proper the correct authentication scheme, or does not have a valid authentication scheme proof that enables access to the protected resource, the resource server MUST respond with a 401 HTTP code and include the HTTP "WWW-Authenticate" response header field; it MAY include it in response to other conditions as well. The "WWW-Authenticate" header field uses the framework defined by HTTP/1.1 [RFC2617] and indicate the expected auth-scheme as long as the realm that has authority for it.
The following is a non-normative example response:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="https://as.mycompany.com"
---- End ----
"MUST respond with a 401 HTTP code and SHOULD include the HTTP" as discussed on today's call @identitymonk
Reworked as:
---- Start ---- If the protected resource request does not include authentication credentials, does not contain an the proper the correct authentication scheme, or does not have a valid authentication scheme proof that enables access to the protected resource, the resource server MUST respond with a 401 HTTP code and SHOULD include the HTTP "WWW-Authenticate" response header field; it MAY include it in response to other conditions as well. The "WWW-Authenticate" header field uses the framework defined by HTTP/1.1 [RFC2617] and indicate the expected auth-scheme as long as the realm that has authority for it.
The following is a non-normative example response:
HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="https://as.example.com"
---- End ----
@identitymonk we need clarification: do you intend to make authentication mandatory or do you mean to clarify the error code in case of failed authentication?
Thanks
I mean to clarify the format of the error message to return in case the authentication expected is not met by the PEP. This is independent of if there is an authentication expected by the PDP or not.
I am not changing the fact that this specification does not go beyond recommending authentication without making it mandatory.
updating to
If the protected resource request does not include the proper authentication credentials, does not contain an the proper the correct authentication scheme, or does not have a valid authentication scheme proof that enables access to the protected resource, the resource server MUST respond with a 401 HTTP code and SHOULD include the HTTP "WWW-Authenticate" response header field; it MAY include it in response to other conditions as well. The "WWW-Authenticate" header field uses the framework defined by HTTP/1.1 [RFC2617] and indicate the expected auth-scheme as long as the realm that has authority for it.