HTTP Authentication Bindings for "two-party" OpenID Authentication
John Panzer
jpanzer at aol.net
Sun Apr 1 01:33:50 UTC 2007
Martin Atkins wrote:
>...
>The obvious approach is to specify a way to do DH associations over an
>HTTP authentication protocol. However, it's not clear to me how to do a
>multi-stage authentication handshake efficiently over HTTP auth, since
>HTTP authentication is based around sending the request, getting back a
>401 Unauthorized response and then repeating the request in its entirety
>with appropriate authentication credentials.
>
>
A client can send an Authorization: header with any request, if it has
prior knowledge of what scheme(s) the server will support and/or whether
a given URI is protected.
A server can provide a WWW-Authenticate: header on any request (say,
HEAD or OPTIONS) and a client can peek at it to see what authentication
schemes the server supports. But there's no (standard) way to tell
whether a particular URI + method requires authorization without just
trying it. Services such as GData get around this by documenting which
URIs and which methods require what type of authorization; could that be
sufficient?
Our Atom service currently provides the standard Allow: header to tell a
client what methods are allowed for a given URI + authorization
context. The set of allowed methods changes depending on authorization
or lack thereof.
--
John Panzer
System Architect
http://abstractioneer.org
More information about the specs
mailing list