W3C home > Mailing lists > Public > public-rww@w3.org > October 2011

HTTP request header field for acceptable authentication methods

From: bergi <bergi@axolotlfarm.org>
Date: Sun, 30 Oct 2011 22:38:59 +0100
Message-ID: <4EADC3F3.5000602@axolotlfarm.org>
To: foaf-protocols@lists.foaf-project.org, public-rww@w3.org, WebID XG <public-xg-webid@w3.org>
Currently my and maybe most other web applications with WebID support
have the following flow for user authentication:

- The user sees your web page with reduced content
- The user follows the login link
- The login resource asks for a client certificate
- The WebID gets bound to the session cookie
- The server sends a redirect to the original page
- Finally the user sees page with the content for that WebID

For example the Java address book application or most robots want to
access the resource in a RESTful way and will not use the described
flow. I haven't found a way to force the use of a client certificate if
the server doesn't ask for one. I propose to use a HTTP header field to
tell the server that the client is able to authenticate with a WebID. As
such a field could be also useful for other authentication methods I
would chose a generic name. There are already some Accept-* fields I
would follow that pattern. As it's currently not a standard field I
would prefix that field with X-. Multiple values must have the same
format as defined for the Accept field. Also the quality parameter must
be handled by the server.

Example only with WebID authentication:
X-Accept-Authentication: WebID

Example with WebID and Basic authentication:
X-Accept-Authentication: WebID, Basic;q=0.9

What do you think about my proposal?


the bergi
Received on Sunday, 30 October 2011 21:39:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 12:56:01 GMT