Non-browser Identity Verification
Martin Atkins
mart at degeneration.co.uk
Wed May 18 10:08:20 PDT 2005
Martin Atkins wrote:
> The current scheme is (as far as I can see) bound to the browser. If
> this is to become some amazing used-everywhere identity system, I think
> it's important to support non-browser-based auth too. I suspect it might
> already be supported in some sense, but let's think about it a little
> anyway.
>
[...]
Having pondered this, I think the sanest approach here is to simply have
two request modes. The "browser" mode is what we have now. The "raw"
(better name please) mode differs as follows:
* Responses from the ID server are, rather than redirects to a URL,
instead a 200 OK response of type application/x-www-form-urlencoded
containing the url-encoded response parameters. Non-success responses
can use other response codes, such as 403 for "I don't know how to
assert that identity at all".
* When the client makes the request to the ID server, the server
response with a 401 Unauthorized response and a WWW-Authenticate header.
The client must then prompt the user for a username and password and
make another request. Using cookies for authorization is expressly
forbidden in raw mode because entering the username and password is
taken as implied permission to assert the identity: there is no trust
root or reply URL outside of the browser scenario.
If Cookies were allowed, it would allow browser-bound scripts to pose
as clients and bypass the privacy protection.
This only changes the token-fetching part of the process. Presumably the
client will then submit this token as part of a request to the consumer
which will do the token verification as normal.
It is worth noting that aside from the Cookie special case the "browser"
mode could actually be implemented as a wrapper around the "raw" mode,
and that browser mode is the special case despite it being our only case
currently. (There is nothing stopping an ID server from using HTTP-based
auth in "browser" mode if that is what it wants to do.)
I'll throw out for discussion the matter of whether an explicit mode
selection parameter is the best approach or if it can be inferred from
other stuff.
More information about the yadis
mailing list