[Osr-101] What's the Neutron-Auth header good for?

Andreas Wuest awuest at student.ethz.ch
Tue Aug 8 18:45:07 CEST 2006 

Hi

On 8.8.2006 12:04 Uhr, Thomas Comiotto wrote:

>> it's not about  the client, but about the server. If the server just 
>> receives a regular GET request how should it be able to out figure
>> what kind of authentication the client supports. If you can answer me 
>> this question then I am happy to remove it, but we have discussed
>> this several times and nobody had an answer.
>>
> 
> No. We did discuss and even made a point I think. But you didn't agree 
> (or maybe you just didn't listen).
> 
> The server has to know that it deals with a neutron request not only in 
> case of authentication. So how do you deal with that? You do so by 
> either looking at the user-agent header

That may not be the best idea, since we really shouldn't go on and mess 
with the user-agent string when using a host application (like Ulysses 
currently does, being an extension to Firefox), because other extensions 
might be messing with that string as well. So it may not be a reliable 
way of telling the server who we are.

> or by assuming that all command 
> urls given by some  introspection file are requested by a neutron 
> client. As I said before and as Andi did too, the latter is just fine.

Yes, that's basically what I said sometime ago: if the client was able 
to access that certain URI, this means that the client must be 
Neutron-enabled, because otherwise it wouldn't even know about that URI 
in the first place.

Now, the counterargument was that the server then has to have some logic 
to distinguish URIs, i.e. it has to know that /index.html can be 
accessed by normal clients as well as Neutron-enabled clients, whereas 
/foo.html can only be accessed by Neutron-enabled clients. AFAIR, this 
was said to create major suckage for the server, and it would therefore 
be easier if the client would reveal itself using a header field.

OTOH, when having URIs of the form ...&usecase=open, the server already 
knows that it has to do something special, so it may as well just assume 
that it is dealing with a Neutron-enabled client.

> Neutron clients SHOULD support basic/digest (since they are http 
> clients), they MUST support neutron authorization exceptions since they 
> are neutron clients.

Basic/digest is kind of hard to implement, so we headed for custom 
authentication first.

-- 
Kind regards,
Andi

More information about the Osr-101 mailing list