[atlas] Changes to RIPE Atlas API auth status codes on 2 Oct
- Next message (by thread): [atlas] RIPE Atlas Quarterly Planning Q4 2023
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chris Amin
camin at ripe.net
Mon Oct 2 13:09:59 CEST 2023
This change has now been made, so some endpoints will return a 401 status code instead of 403. As a reminder, you can keep the previous behaviour for the rest of this year by including the following HTTP header in your requests: X-Compat: auth-2023 or alternatively, thanks to my generalized calendar confusion: X-Compat: auth-2022 This migration measure will be dropped some time in January (of whatever year comes after this one). Regards, Chris On 19/09/2023 10:38, Chris Amin wrote: > Dear colleagues, > > Currently the RIPE Atlas REST API (https://atlas.ripe.net/api/v2/) > returns a 403 Forbidden status code in two cases: > > * When a request requires authentication but the user has not provided > any credentials, or has provided incorrect credentials > * When a user has authenticated correctly, but they or their API key > lacks the permissions needed for a particular request > > Distinguishing between these two cases is important because in the first > case the client can potentially get access by authenticating, and in the > second case there is no point in retrying authentication with the same > credentials. > > In order to enable this distinction, and to generally conform to web > standards and best practices, on Monday, 2nd October we will change the > REST API so that a completely unauthenticated request will receive a > response with a 401 Unauthorized status code. The 403 Forbidden status > code will still be returned for users and API keys that are > authenticated but lack the necessary permissions for the request. > > As a temporary migration measure, the API will keep the same behaviour > (always return 403) if either: > > * The "Referer" header contains "RIPE Atlas Tools" and a version string > <= 3.1.1, or > * An "X-Compat" header is set and contains the string "auth-2022" > > This temporary measure is guaranteed to work for the rest of 2022, after > which it will be removed and the API will always make the 401/403 > distinction. > > Kind regards, > Chris Amin > RIPE Atlas team >
- Next message (by thread): [atlas] RIPE Atlas Quarterly Planning Q4 2023
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]