It doesn't seem to exist a standard for this header name. Apache and F5 let the user choose it, but this make the configuration more complicated. I don't think that the name is a problem, because it can be set on the authorization server.

If the certificate is transmited, all other informations are duplicated (except Auth-Verify). Forwarding the certificate is the most usefull, because it can be used to make controls on its properties.

Kind regards,
Franck Levionnois.

2014-03-07 12:31 GMT+01:00 Maxim Dounin <mdounin@mdounin.ru>:

On Fri, Mar 07, 2014 at 09:40:11AM +0100, Franck Levionnois wrote:

> Hello,
> I haven't seen any comment on this patch. Is it ok for you ?

Sorry, I haven't yet had a time to look into it in detail.

Most problematic part is still auth_http protocol changes - in
particular, headers send and names used for them.  I tend to think
there should be better names, and probably we can safely omit some
information as duplicate/unneeded.

Maxim Dounin

nginx-devel mailing list