Changes to RIPE Atlas API auth status codes on 2 Oct
Dear colleagues, Currently the RIPE Atlas REST API (https://atlas.ripe.net/api/v2/) returns a 403 Forbidden status code in two cases: * When a request requires authentication but the user has not provided any credentials, or has provided incorrect credentials * When a user has authenticated correctly, but they or their API key lacks the permissions needed for a particular request Distinguishing between these two cases is important because in the first case the client can potentially get access by authenticating, and in the second case there is no point in retrying authentication with the same credentials. In order to enable this distinction, and to generally conform to web standards and best practices, on Monday, 2nd October we will change the REST API so that a completely unauthenticated request will receive a response with a 401 Unauthorized status code. The 403 Forbidden status code will still be returned for users and API keys that are authenticated but lack the necessary permissions for the request. As a temporary migration measure, the API will keep the same behaviour (always return 403) if either: * The "Referer" header contains "RIPE Atlas Tools" and a version string <= 3.1.1, or * An "X-Compat" header is set and contains the string "auth-2022" This temporary measure is guaranteed to work for the rest of 2022, after which it will be removed and the API will always make the 401/403 distinction. Kind regards, Chris Amin RIPE Atlas team
On 19/09/2023 10:38, Chris Amin wrote:
As a temporary migration measure, the API will keep the same behaviour (always return 403) if either:
* The "Referer" header contains "RIPE Atlas Tools" and a version string <= 3.1.1, or
Apologies, this should refer to the "User-Agent" header and not the "Referer" header.
* An "X-Compat" header is set and contains the string "auth-2022"
This temporary measure is guaranteed to work for the rest of 2022, after which it will be removed and the API will always make the 401/403 distinction.
Hi, On Tue, Sep 19, 2023 at 10:38:29AM +0200, Chris Amin wrote:
This temporary measure is guaranteed to work for the rest of 2022,
So which iteration of 2022 would that be? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
On 19/09/2023 11:11, Gert Doering wrote:
This temporary measure is guaranteed to work for the rest of 2022,
So which iteration of 2022 would that be?
Thanks Gert. This was of course deliberate to make see whether people were paying attention. The temporary measure is *also* guaranteed to work for the rest of 2023, and the X-Compat header may contain either "auth-2022" or "auth-2023" to maintain the old behaviour until the end of this year. Chris
This change has now been made, so some endpoints will return a 401 status code instead of 403. As a reminder, you can keep the previous behaviour for the rest of this year by including the following HTTP header in your requests: X-Compat: auth-2023 or alternatively, thanks to my generalized calendar confusion: X-Compat: auth-2022 This migration measure will be dropped some time in January (of whatever year comes after this one). Regards, Chris On 19/09/2023 10:38, Chris Amin wrote:
Dear colleagues,
Currently the RIPE Atlas REST API (https://atlas.ripe.net/api/v2/) returns a 403 Forbidden status code in two cases:
* When a request requires authentication but the user has not provided any credentials, or has provided incorrect credentials * When a user has authenticated correctly, but they or their API key lacks the permissions needed for a particular request
Distinguishing between these two cases is important because in the first case the client can potentially get access by authenticating, and in the second case there is no point in retrying authentication with the same credentials.
In order to enable this distinction, and to generally conform to web standards and best practices, on Monday, 2nd October we will change the REST API so that a completely unauthenticated request will receive a response with a 401 Unauthorized status code. The 403 Forbidden status code will still be returned for users and API keys that are authenticated but lack the necessary permissions for the request.
As a temporary migration measure, the API will keep the same behaviour (always return 403) if either:
* The "Referer" header contains "RIPE Atlas Tools" and a version string <= 3.1.1, or * An "X-Compat" header is set and contains the string "auth-2022"
This temporary measure is guaranteed to work for the rest of 2022, after which it will be removed and the API will always make the 401/403 distinction.
Kind regards, Chris Amin RIPE Atlas team
participants (2)
-
Chris Amin -
Gert Doering