So, here are my thoughts. Let's say the client has a token stringwhich encapsulates authentication and authorization. They need to sendthis along with an Atom Publishing Protocol (APP) request.
Windows Live and GData both implement custom RFC 2617 WWW-Authenticate:headerschemes. Unfortunately they don't follow exactly the same pattern,or I'd just copy it. But using RFC 2617 is clearly the right approachif the server can support it. So here's a proposal:
If a client has an OpenAuth token, it sends an Authorization: header. The format looks like this:
Authorization: OpenAuth token="..."where ... contains the base64-encoded token data (an opaque string,essentially).
When there is a problem, or the Authorization: header is missing, a401 response is returned with a WWW-Authenticate: header.
401 Need user consentwhere the status code contains a human readable message, and theWWW-Authenticate header contains the precise fault code -- NeedToken,NeedConsent, ExpiredToken. If present, the urlparameter gives the URL of an HTML page which can be presented to theend user to login or grant permissions. For example it can point to alogin page if the fault is NeedToken. A client would then need to dothe following in response:
WWW-Authenticate: OpenAuth realm="RealmString",fault="NeedConsent",url=
- Append a "&succUrl=..." parameter to the url, telling theOpenAuth service where to go when the user successfully logs in orgrants permission.
- Open a web browser or browser widget control with the givencomposed URL, and present to the user.
- Be prepared to handle an invocation of the succUrl with anappended token parameter, giving a new token to use for subsequentrequests.
As a wrinkle, to enhance autodiscovery, perhaps we should allow an"Authorization: OpenAuth" header with no token on any request(including HEAD). The server could then respond with a 401 andfault="NeedToken", telling the client what URL to use for loginauthentication. The interesting thing about this is that the protocolis then truly not tied to any particular authentication service --anyone who implements this fairly simple protocol with opaque tokenscan then play with anyone else. The whole thing could be built on topof OpenID, for example.
Perhaps this doesn't quite work. I notice that the Flickr APIs don'tdo this, and instead have non-browsers establish a session with aclient-generated unique key ("frob"). But this requires that users endup looking at a browser screen that tells them to return to theirapplication to re-try the request. Which the above scheme couldcertainly do as well, by making the succUrl point at such a page. Sois there a reason why Flickr doesn't redirect? There's likely a gapingsecurity hole here that I'm just missing.