Skip to content

/ api-guidelines

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authorization header to simple set as well as suggest its usage #93

Open
wants to merge 2 commits into
base: vNext
from
Open

Add authorization header to simple set as well as suggest its usage #93

wants to merge 2 commits into from

Conversation

@oneturkmen
Copy link

oneturkmen commented Aug 17, 2017

PR relates to issue #91.
@oneturkmen
Added authorization header to simple set as well as suggested its usage
2eda117
@RobDolinMS RobDolinMS mentioned this pull request Aug 30, 2017
Closed
@oneturkmen
Copy link
Author

oneturkmen commented Sep 13, 2017
edited

Any update?
@darrelmiller
darrelmiller reviewed Sep 14, 2017
View changes
Guidelines.md Outdated
@@ -627,7 +627,7 @@ Add an Access-Control-Max-Age pref response header containing the number of seco
Because browser preflight response caches are notoriously weak, the additional round trip from a preflight response hurts performance.
Services used by interactive Web clients where performance is critical SHOULD avoid patterns that cause a preflight request
- For GET and HEAD calls, avoid requiring request headers that are not part of the simple set above. Allow them to be provided as query parameters instead.
- The Authorization header is not part of the simple set, so the authentication token MUST be sent through the "access_token" query parameter instead, for resources requiring authentication. Note that passing authentication tokens in the URL is not recommended, because it can lead to the token getting recorded in server logs and exposed to anyone with access to those logs. Services that accept authentication tokens through the URL MUST take steps to mitigate the security risks, such as using short-lived authentication tokens, suppressing the auth token from getting logged, and controlling access to server logs.
- The Authorization header (AH) SHOULD be used as method of providing authentication information (thus, can be included in the simple set). AH provides authentication of the IP header and next-level protocol data. Security services are initiated between two communicating hosts, between two communicating security gateways or between a security gateway and a host. Note that passing authentication tokens in the URL is not recommended, because it can lead to the token getting recorded in server logs and exposed to anyone with access to those logs. Services that accept authentication tokens through the URL MUST take steps to mitigate the security risks, such as using short-lived authentication tokens, suppressing the auth token from getting logged, and controlling access to server logs.

This comment has been minimized.

Sign in to view
Copy link
@darrelmiller

darrelmiller Sep 14, 2017

Member

I think just a minor modification to the last part of the paragraph is what is needed. e.g.

Although the Authorization Header is not part of the CORS simple set, passing authentication tokens in the URL is not recommended, because it can lead to the token getting recorded in server logs and exposed to anyone with access to those logs. Services that accept authentication tokens through the URL MUST take steps to mitigate the security risks, such as using short-lived authentication tokens, suppressing the auth token from getting logged, and controlling access to server logs.

I don't think we need to start trying to explain what the Authorization Header is, or how it can be used.

This comment has been minimized.

Sign in to view
Copy link
@oneturkmen

oneturkmen Sep 15, 2017

Author

Thank you for the feedback. Will make changes now.
Batyr Nuryyev
update changes after review
Loading status checks…
eb89f97
@oneturkmen
Copy link
Author

oneturkmen commented Sep 15, 2017

@darrelmiller just updated the changes. I think it should be good now.

By the way, when writing this guidelines, what web resources did you use?
@oneturkmen oneturkmen closed this Sep 15, 2017
@oneturkmen oneturkmen reopened this Sep 15, 2017
@darrelmiller
Copy link
Member

darrelmiller commented Sep 15, 2017

Thanks for the update. I wasn't involved when the original guidelines were being written but I'm guessing that many different sources were used to derive these guidelines.
@garethj-msft
Copy link
Member

garethj-msft commented Sep 15, 2017

Thanks both. We seem to have lost in the shuffle that if you HAVE to pass the token in the URL due to your perf requirement, then the way to do it MUST be to use the "access_token" query parameter, which seems to be encoded in the initial intent of the paragraph. or am I missing something.
@darrelmiller
Copy link
Member

darrelmiller commented Sep 16, 2017

@garethj-msft You are correct, we dropped that. I guess I read what I expected to read. I didn't expect the guidelines to enforce a query parameter name. I see the value in doing that, but my gut is telling me that's a bad idea. I need to think about that some more.

But regardless, the existing guidance says it MUST be "access_token" so we shouldn't change that in this PR.
@microsoft microsoft deleted a comment from msftclas Sep 26, 2017
@microsoft microsoft deleted a comment from msftclas Sep 26, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@darrelmiller darrelmiller

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
@oneturkmen @darrelmiller @garethj-msft @msftclas @msftgits
You can’t perform that action at this time.