Martin Atkins wrote: >... >The obvious approach is to specify a way to do DH associations over an >HTTP authentication protocol. However, it's not clear to me how to do a >multi-stage authentication handshake efficiently over HTTP auth, since >HTTP authentication is based around sending the request, getting back a >401 Unauthorized response and then repeating the request in its entirety >with appropriate authentication credentials. > > A client can send an Authorization: header with any request, if it has prior knowledge of what scheme(s) the server will support and/or whether a given URI is protected.
A server can provide a WWW-Authenticate: header on any request (say, HEAD or OPTIONS) and a client can peek at it to see what authentication schemes the server supports. But there's no (standard) way to tell whether a particular URI + method requires authorization without just trying it. Services such as GData get around this by documenting which URIs and which methods require what type of authorization; could that be sufficient? Our Atom service currently provides the standard Allow: header to tell a client what methods are allowed for a given URI + authorization context. The set of allowed methods changes depending on authorization or lack thereof. -- John Panzer System Architect http://abstractioneer.org _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs