W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

Re: HTTP request header field for acceptable authentication methods

From: Dominik Tomaszuk <ddooss@wp.pl>
Date: Mon, 31 Oct 2011 10:27:41 +0100
Message-ID: <4EAE6A0D.5040802@wp.pl>
To: public-xg-webid@w3.org, fielding@gbiv.com, julian.reschke@greenbytes.de
CC: foaf-protocols@lists.foaf-project.org, public-rww@w3.org, ietf-http-wg@w3.org
On 30.10.2011 22:38, bergi wrote:
> Currently my and maybe most other web applications with WebID support
> have the following flow for user authentication:
>
> - The user sees your web page with reduced content
> - The user follows the login link
> - The login resource asks for a client certificate
> - The WebID gets bound to the session cookie
> - The server sends a redirect to the original page
> - Finally the user sees page with the content for that WebID
>
> For example the Java address book application or most robots want to
> access the resource in a RESTful way and will not use the described
> flow. I haven't found a way to force the use of a client certificate if
> the server doesn't ask for one. I propose to use a HTTP header field to
> tell the server that the client is able to authenticate with a WebID. As
> such a field could be also useful for other authentication methods I
> would chose a generic name. There are already some Accept-* fields I
> would follow that pattern. As it's currently not a standard field I
> would prefix that field with X-. Multiple values must have the same
> format as defined for the Accept field. Also the quality parameter must
> be handled by the server.
>
> Example only with WebID authentication:
> X-Accept-Authentication: WebID
>
> Example with WebID and Basic authentication:
> X-Accept-Authentication: WebID, Basic;q=0.9
>
> What do you think about my proposal?
It might be interesting to HTTPBis, part 7: Authentication [1] and 
HTTPBis Authentication Scheme Registrations [2]

[1] http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-16
[2] 
http://tools.ietf.org/html/draft-ietf-httpbis-authscheme-registrations-02

Best,
Dominik 'domel' Tomaszuk
Received on Monday, 31 October 2011 09:28:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:49 GMT