Friday, June 26, 2009

RESTful authentication and dealing with form-based auth

Early experiences with OSLC CM 1.0 indicate that discovery of authentication model of some service providers is needed, especially if form-based authentication is used. I'm doing some searching, research and analysis of various approaches to solving this problem in a consistent manner.
Some options include:
  1. Prohibit the use of form-based authentication
    This involves requiring at a minimum Basic or Digest authentication schemes. This may have some implications to some applications as they may not be well suited to make this change.
  2. Standardize the use of form-based authentication
    Since HTTP's WWW-Authenticate header is extensible, it could be possible to indicate the needed meta data either in the header and/or response body for the consumer to perform the authentication.
I'm curious if anyone has any experience with these and prefered approaches or drawbacks of other approaches.

1 comment: