Re: Restful Login/Identifier

[Peter Lacey]

Well, I told you I only just started noodling.  You're absolutely right 
of course. 

Another solution that comes to mind, is to mimic LDAP.  In this case, 
the authenticating application, actually binds to the user resource as 
the authenticating user using Basic/SSL.  This keeps the user's 
credentials in the header, while allowing the application to use content 
negotiation to ask for a SAML token or whatever it's interested in.

Pete
Mitch Stewart wrote:
If you place the password inside the URL as a parameter, won't that be
"sniffable" because the URL contents are not encrypted via SSL, only the
payload of the request? I think that's why Basic Authentication sends
the data inside the body of the POST as opposed to parameters within a
URL.

Mitch

  
-----Original Message-----
From: Peter Lacey [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 02, 2007 2:55 PM
To: discuss@restlet.tigris.org
Subject: Re: Restful Login/Identifier

I have only just started mussing over the very same idea.  In 
my thinking the URLs would be much more readable.  The core 
user resource would be something like  
http://example.com/users/{uname}  To use this for 
authentication purposes, an application would receive 
credentials from the user, and GET a URL like the following 
from the RESTful authentication service: 
https://example.com/users/{uname},{passwd} (note the use of 
SSL).  That could return the same resource as the previous 
URL, but more usefully could return, say, a SAML token 
appropriate for the asking application.

Of course, one should not just assume that the proposed URI 
scheme will last forever, so a better solution is for a 
client to first request a form (from a "cool" URL), e.g., 
http://example.com/authentication_form.  
That form will contain the necessary fields to populate and 
(assuming it's an HTML form) will allow you to construct a 
URL.  However, in this case the URL would end up looking 
something like this: 
https://example.com/users?uname=placey&passwd=sekrit.  Which 
isn't as pretty as the other version, but serves the same 
purpose and uses a standard recipe for link construction.

Pete


JC wrote:
    
I am trying to develop a Restful login system. Using a web 
      
service I 
    
want to identify a user based on their user name and 
      
password, but I 
    
am not sure the best (Restful) approach.

I would like to avoid the RPC approach of calling an authenticate 
method, passing in a user name and password.

The best (Restful) solution I have come up w/ so far is to have the 
URL HTTPS://www.example.com/user/{user}. The {user} 
      
placeholder would 
    
be the MD5 value of the concatenated string of user name + password.

Ex.
User name: MyName
Password: MyPassword
{user} = MD5(MyName+MyPassword)

If the user is found return a XML representation of the 
      
user, if not 
    
return a
404 error.

Thoughts, comments, suggestions?