HTTP Authentication Bindings for "two-party" OpenID Authentication
Julian Reschke
julian.reschke at gmx.de
Sun Apr 1 20:30:40 UTC 2007
John Panzer schrieb:
> ...
> Our Atom service currently provides the standard Allow: header to tell a
> client what methods are allowed for a given URI + authorization
> context. The set of allowed methods changes depending on authorization
> or lack thereof.
> ...
Hm. I'm not sure this is a good idea. HTTP distinguishes between 405 Not
Allowed and 401 Auth required or403 Forbidden.
I think the Allow header should list those methods which will not cause
a 405 to be returned, so authorization is a complete orthogonal issue.
Best regards, Julian
More information about the specs
mailing list