openstack team mailing list archive

Thread
Date

Re: State of OpenStack Auth

To: Jorge Williams <jorge.williams@xxxxxxxxxxxxx>
From: Soren Hansen <soren@xxxxxxxxxx>
Date: Wed, 2 Mar 2011 15:17:41 +0100
Cc: "<openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <11634_1299072856_p22DYALG011000_31A6F50F-DB23-459D-8D90-F7AB1E9141A8@rackspace.com>
Sender: soren@xxxxxxxxxxx

2011/3/2 Jorge Williams <jorge.williams@xxxxxxxxxxxxx>:
> 1)  Weak support in HTTP client libraries.

a) This surprises me. I definitely remember using cookies with several
different http libraries.

b) There is *no* support for the current alternative, since it's
something that was made up for this particular purpose. If people use
http libriaries that do support cookies, they get Rackspace Cloud API
auth support for free. If not, they simply have to do it manually in a
manner elmost identical to what they have to do now, except with a
different HTTP header name.

> HTTP libs tend to not handle them at all or to not handle them correctly. In the Java world,  for example, java.net.* doesn't handle cookies very well. There are certainly other libs that handle them, but a whole bunch of software is built on top of java.net.* including some popular REST libraries.

What if we supported cookes on the server side, but noted in the API
docs that broken clients can pass the it as the X-Auth-Token header?

> 2)  Say you make a request and don't include your cookie in it. A typical webapp will simply redirect you to a login form.  But what should happen in a REST API?  Should you get a 401?  I think it's a little fuzzy how we would handle this correctly.

401 sounds reasonable. If the client says it Accepts: text/html, we
could redirect it somewhere useful. If not, just leave the response
empty. How does that sound?

> If you want browser support -- and personally I think all of our APIs should be browser friendly -- I think the best approach is to support an establish scheme like HTTP Basic or Digest.  These schemes have great client lib support.  They are supported in a friendly way by browsers.  And they don't break HTTP semantics, so you don't get a redirect when you should be getting a request for credentials.

That would certainly work. I was just specifically wondering why we're
doing something that has semantics extremely close to cookies, yet
don't use cookies. Whatever it is we do that makes it possible to do
stuff directly in a browser sounds great to me. :)


-- 
Soren Hansen
Ubuntu Developer    http://www.ubuntu.com/
OpenStack Developer http://www.openstack.org/

Follow ups

Re: State of OpenStack Auth
From: Jorge Williams, 2011-03-02

References

State of OpenStack Auth
From: Eric Day, 2011-03-01
Re: State of OpenStack Auth
From: Soren Hansen, 2011-03-01
Re: State of OpenStack Auth
From: Eric Day, 2011-03-01
Re: State of OpenStack Auth
From: Soren Hansen, 2011-03-01
Re: State of OpenStack Auth
From: Eric Day, 2011-03-01
Re: State of OpenStack Auth
From: Jorge Williams, 2011-03-02