Re: Authentication over HTTP

One area of previous work that may be relevant is Web-Single-Signon 
systems. These tend to rely on some unattractive mix of JavaScript, 
cookies, and other gimmicks to complete the authentication exchange, but 
they are representative of what people have tried to layer on top of 
HTTP/1.1 to replace Basic auth, and provide sessions of a sort.

Shibboleth and CAS are notable examples using SAML and Kerberos 
respectively.

It seems like there are use cases to delegate authentication to a 
trusted third-party and/or maintain sessions.

There may be some mechanisms that HTTP/2.0 could support to make this 
easier, but it's a different question than just the framework used by 
Basic and Digest auth.

Received on Wednesday, 17 July 2013 11:05:12 UTC