401 responses do not include WWW-Authenticate header
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Jeffrey Zhang |
Bug Description
When an HTTP 1.1 server responds with 401 status code, it MUST include a WWW-Authenticate header. Keystone is not including the WWW-Authenticate header when it responds with 401.
See http://
$ curl -i http://
HTTP/1.1 401 Not Authorized
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 116
Date: Mon, 11 Mar 2013 18:35:57 GMT
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}
The server should have included WWW-Authenticate in the response. I don't know what it should be set to, but according to the HTTP 1.1 RFC, it has to be set to something.
Changed in keystone: | |
assignee: | nobody → buronix (ruben-buron) |
Changed in keystone: | |
milestone: | none → icehouse-1 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-1 → 2014.1 |
I believe keystoneclient. middleware. auth_token sets WWW-Authenticate to the location of keystone's auth endpoint. I think it would be appropriate for the 401 from keystone itself to point to /v3/auth/token if raised by v3.