Loading ...
Sorry, an error occurred while loading the content.

Comments on token based authentication for REST service

Expand Messages
  • John Panzer
    All, I m looking to see how best to implement REST-compatible authentication/authorization that works with AOL s OpenAuth service. The service provides ways
    Message 1 of 1 , May 3, 2007
    • 0 Attachment

      I'm looking to see how best to implement REST-compatible authentication/authorization that works with AOL's OpenAuth service.  The service provides ways for users to authenticate themselves and to grant permissions to services to do things such as read buddy lists on behalf of a user.  These permissions are encapsulated in a portable token which can be passed around.

      Thus, the primary requirements are to get clients to pass a token (which combines authentication and authorization) when attempting a method against a resource; and to signal auth(.*) failures in a reasonable way.

      Windows Live and GData both implement custom WWW-Authenticate: header schemes, and unfortunately they don't follow exactly the same pattern, or I'd just copy it.  So here's my current thoughts:

      (1) Clients provide an Authorization: header if they have a token.  The format is:

      Authorization: OpenAuth token="..."

      where ... indicates base64-encoded token data (an opaque string for purposes of this discussion).

      (2) When there is a problem, or the Authorization: header is missing, a 401 response is returned with a WWW-Authenticate: header.

      401 Need user consent
      WWW-Authenticate: OpenAuth realm="AOL", fault="NeedConsent", url="http://my.screenname.aol.com/blah?a=boof&b=zed&...."

      where the status code contains a human readable message, and the WWW-Authenticate OpenAuth header contains the precise fault code, one of {NeedToken, NeedConsent, ExpiredToken}.  If present, the url parameter gives the URL of an HTML page which can be presented to the end user to mitigate the problem according to certain criteria documented elsewhere.  For example it can point to a permissions page which lets the user grant permission to a service to perform a POST.  More likely it would point to a login page.

      Critiques are welcomed.

      AbstractioneerJohn Panzer
      System Architect
    Your message has been successfully submitted and would be delivered to recipients shortly.