For instance, if a request failed due to no authorization, clients expect a 401. However, if a server returns a 200 but with a message indicating failure to authenticate, does this technically go against the HTTP protocol? From my research it appears the answer is "Yes, it does. Failures should at the very least be 4xx but ideally more descriptive i.e. 401", but I'm curious if such a variance in status code actually breaks protocol or if they are merely strong suggestions.
-
It doesn't break the fundamental HTTP protocol, that just requires some status code: developer.mozilla.org/en-US/docs/Web/HTTP/Overview#responses, developer.mozilla.org/en-US/docs/Web/HTTP/Messages#status_line. Ideas like restful APIs are semantics on top of the protocol.jonrsharpe– jonrsharpe2023-02-08 16:52:58 +00:00Commented Feb 8, 2023 at 16:52
-
@jonrsharpe That link seems to indicate that a status code indicating the success of the response is required. Also, the RFC seems lax on the necessity of a descriptive response, but forceful in that the leading digit of the status code should at the very least indicate how the response was handled, if at all. httpwg.org/specs/rfc9110.html#status.codesjclasley– jclasley2023-02-08 16:56:32 +00:00Commented Feb 8, 2023 at 16:56
-
1Then I guess it comes down to what you mean by "break". It's syntactically correct, so recipients won't e.g. fail to parse the response, but may be semantically incorrect. 200 vs. 401 may cause behavioural differences due to caching, for example. There may also be other protocols on top of HTTP - e.g. GraphQL conventionally responds 200 OK with errors in the body, as the request succeeded from an HTTP perspective despite errors at the GraphQL level.jonrsharpe– jonrsharpe2023-02-08 18:37:35 +00:00Commented Feb 8, 2023 at 18:37
Add a comment
|
1 Answer
RFC 9110 HTTP Semantics tells us that:
A client cannot begin using an upgraded protocol on the connection until it has completely sent the request message (i.e., the client can't change the protocol it is sending in the middle of a message). If a server receives both an Upgrade and an Expect header field with the "100-continue" expectation (Section 10.1.1), the server MUST send a 100 (Continue) response before sending a 101 (Switching Protocols) response
In the same RFC:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
And finally RFC 2119:
- MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.
Therefore, if the server wants to support HTTP/1.1, he can't ignore certain of the protocol's strict requirements, such returning a specified status code in certain cases.
In your example, the client doesn't have to wait for a response with 401 status code because the server generates a 401 when it wants to. If the server believes the client should authenticate, it will send a 401, but it can also send a 403 instead. For instance, on servers that use Session authentication (authentication occurs through cookies and the request body), a 401 is never sent.
However, if the server decides to send a 401, RFC 9110 requires it to include the "WWW-Authenticate" header.
A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge. A server MAY generate a WWW-Authenticate header field in other response messages to indicate that supplying credentials (or different credentials) might affect the response.
