Joe Gregorio and Mark Pilgrim have been working on a new implementation of the Atom API, and have come up with a Digest-like authentication mechanism for it. Joe describes it here; here's a small part of the post:
Triggered an auth by rejecting a request with an HTTP status code of 401.
The server response includes an Authenticate: header that includes Atom as an authentication scheme.
The client then sends an Authorization: header with the scheme of Atom with all the Digest authentication information going into X-Atom-Authorization: header.
With every request the server sends back an X-Atom-Authentication-Info: header with the 'nextnonce'.
Note that this now uses the extensibility of the HTTP authentication scheme.
Well, ok. But how about this:
1. Change "Atom" to "Digest" in the WWW-Authenticate header, and make a couple of other trivial changes to this response.
2. Change X-Atom-Authentication to Authorization, with appropriate trivial changes.
Poof! You're using digest authentication. Now I know Mark and Joe thought about this, and I was involved in a long painful discussion talking about this. But here's my point: if you have enough control over your server to implement this "Atom-authentication" mechanism, then you have enough control to implement Digest itself. With a huge added benefit that many client toolkits understand digest out of the box.
My guess is this - there is a way to implement this for Apache in code, rather than using the .htaccess built-in support. If you can implement atom-auth, can't you just modify your code to implement Digest?
We're so close. Let's do this right. I bet if there was an implementation built for Apache that didn't require .htaccess or httpd.conf access, then some of the nay-sayers might get on board. Someone care to try it? I did my part - my .NET/IIS implementation is available, free, for anyone to use today...
Previous Topic
