OpenID Auth for agents and "bots"

Martin Atkins mart at
Sun Aug 6 22:19:29 UTC 2006

Thomas Broyer wrote:
> Per RFC2617, a WWW-Authenticate must have a "realm" parameter,
> otherwise, looks good.
> As for the "Relying parties can be allowed to include the
> WWW-Authenticate: OpenID header in a 200 OK response to facilitate
> this", that's basically a need outside the scope of OpenID. It'd be
> real cool if HTTP-Auth (RFC2616/RFC2617) could work without the need
> for 401 (Non Authorized) responses. The main problem here is caching…

I'm aware that it's a bit dodgy, which is why I didn't put it in the 
main text.

However, I mulled it over a little and no major problems jumped out at 
me. Presumably caches must already handle correctly caching of Basic 
authentication responses, so surely this would "just work" in that the 
cache would see the WWW-Authenticate header in the client request and 
know not to cache?

I will admit to having not thought out the complete implications of 
this, however. I'm not incredibly fussed about that paragraph in my 
proposal if people think it's a bad idea.

More information about the yadis mailing list