3.2.7.12 Origin Server Authentication

  • Article

This local event can occur when a Describe request is received. The purpose of this local event is to enable the higher layer to authenticate the client. After the higher layer has authenticated the client, or if the higher layer determines that authentication is not required, the higher layer is expected to specify whether the client is authorized to access the content identified by the URL in the Describe request.

The server MUST provide the following information to the higher layer:

  • The URL that the client specified in the Describe request.

  • The value of the Authorization header (defined in [RFC2326] section 12.5), if any, that was provided by the client in the Describe request. If the Authorization header is not present in the request, the server MUST inform the higher layer that this header is missing.

  • The list of authentication schemes on the X-Accept-Authentication (2.2.6.14) header, if any, that was provided by the client in the Describe request. The server MUST specify to the higher layer that the list is arranged in order of preference, with the most preferred authentication scheme at the head of the list. If the X-Accept-Authentication header is not present in the request, the server MUST inform the higher layer that this header is missing.

After the information has been provided to the higher layer, the server MUST be prepared to receive the following from the higher layer:

  • The value that the server shall put on WWW-Authenticate header (defined in [RFC2326] section 12.44) in the response, or an indication that no WWW-Authenticate header shall be sent in the response. If the higher layer does not provide this information, the server MUST assume that no WWW-Authenticate header needs to be sent in the response.

  • If no value for the WWW-Authenticate header is provided, this indicates that the client is either authorized or not authorized to access the content. If the higher layer does not provide this indication and does not provide a value for the WWW-Authenticate header, the server MUST assume that the client is authorized to access the content.