OpenID Auth for agents and "bots"
Martin Atkins
mart at degeneration.co.uk
Sun Aug 6 22:19:29 UTC 2006
Thomas Broyer wrote:
>
> Per RFC2617, a WWW-Authenticate must have a "realm" parameter,
> otherwise, looks good.
>
> As for the "Relying parties can be allowed to include the
> WWW-Authenticate: OpenID header in a 200 OK response to facilitate
> this", that's basically a need outside the scope of OpenID. It'd be
> real cool if HTTP-Auth (RFC2616/RFC2617) could work without the need
> for 401 (Non Authorized) responses. The main problem here is caching…
>
I'm aware that it's a bit dodgy, which is why I didn't put it in the
main text.
However, I mulled it over a little and no major problems jumped out at
me. Presumably caches must already handle correctly caching of Basic
authentication responses, so surely this would "just work" in that the
cache would see the WWW-Authenticate header in the client request and
know not to cache?
I will admit to having not thought out the complete implications of
this, however. I'm not incredibly fussed about that paragraph in my
proposal if people think it's a bad idea.
More information about the yadis
mailing list