Location header with 401?

[marcstern]

Hello.
Why not returning the Location header also with 401?
This would allow the client to know where to find the login page (although they need to know the syntax to login anyway). In some cases (when you have multiple IdP), it can be useful.
In the worst case, it won't hurt ...

[zandbelt]

I'm not sure about the use case, in case of multiple IDPs the user is redirected to a discovery page that can optionally be skipped by configuring OIDCDiscoverURL to point to a specific IDP for a particular location, see https://github.com/zmartzone/mod_auth_openidc/wiki/Multiple-Providers#discovery

the 401 by default would only be returned for non-browser requests, you can change that by using Require claim iss:<issuer> and UnAuthzAction 302 <url>, see https://github.com/zmartzone/mod_auth_openidc/wiki/Step-up-Authentication but the (non-browser) Client would have to know how to handle this indeed

[marcstern]

Sometimes the IdP is well identified by the server, but not by the client. In this case, it can use the Location header, like a browser.
Generating a 302 for an API wouldn't make, but a 401 with the Location header, that can be used easily.

[zandbelt]

I don't see how a Client could be extended to handle a Location header in a 401 but not in a 302; the latter is standard usage anyway, I see no point in adding a non-standard feature that results in the same behaviour.

Discovery allows the server to identify the IDP by config and sends the 302 to the correct IDP to the client when using OIDCUnAuthAction auth in that Location.

[marcstern]

Let me clarify:
If a single page application receives a 302 with a Location when calling, for instance, an image, it thinks that the image has to be retrieved somewhere else (cf. Location header).
In the same case, if the single page application receives a 401, it knows it has to redirect the page to the authentication server. But it doesn't know where the authentication page is located. If we add the Location header, the application knows where to redirect the page.
When using pure API, the Location header would probably not be used, I agree; but for SPA it highly simplifies the handling of a 401.

[zandbelt]

on a 401 the SPA just needs to refresh the top level window after which the redirect with the authentication request automatically happens

[marcstern]

That's usually right, unless the application opens a layer/frame/pop-up for the authentication

[zandbelt]

authenticating in an iframe is strongly discouraged anyway in OAuth security recommendations because of clickjacking attacks