[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Authentication

To: <atom-syntax@xxxxxxx>
Subject: RE: Authentication
From: "Joe Madia" <joe.madia@xxxxxxxxxxxxx>
Date: Sat, 9 Aug 2003 15:31:15 -0700
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
Sender: owner-atom-syntax@xxxxxxxxxxxx
Thread-index: AcNdrunJ4P/63P5uRcSPrMJTZ91zmABEI68Q
Thread-topic: Authentication

I am a bit behind on my Wiki reading so I apologize if these comments
are based on any stale data...

Is the REST API going to be the only official Atom API?  I have always
assumed that there would be both a REST-like API as well as a SOAP AP.
As such, each API would be free to handle authentication in the way that
best fits the protocol.

Regarding a REST API:  There only seem to be 3 choices for secure
authentication that are broadly supported on the modern web: 1) Basic
over HTTPS, 2) Digest or 3) roll your own within the HTTP payload.  As
for option 3, I don't have enough REST experience to add any insight.
Should a custom auth protocol be built into REST?  Is that idea
compatible with the philosophy of REST?

Regarding a SOAP API:  There is a tremendous amount of work being done
on this issue already [1] and it seems to me that it's just a matter of
time before really nice solutions to this problem begin to ship for
various platforms.  Any SOAP API being developed today can pretty much
just wait it out and have some pretty high confidence that these
features will show up.

So... in the REST case, it seems to me that 1 and 2 are definitely "good
enough" since a large portion of the web already works this way today.
In the SOAP case, the problem is already being solved in a very
generalized and extensible way so there's no need to worry about that
either.

I am curious about what a custom authentication scheme would look like
within a REST API...  anyone have any exemplars?

Joe
 
[1] Web Services Secure Conversation
http://msdn.microsoft.com/ws/2002/12/ws-secure-conversation/
http://www-106.ibm.com/developerworks/library/ws-secon/

-----Original Message-----
From: Joe Gregorio [mailto:joe@xxxxxxxxxxxxxx] 
Sent: Friday, August 08, 2003 9:14 AM
To: atom-syntax@xxxxxxx


In an effort to raise the visibility of some of the API issues, I am
copying some
of the questions that are sitting on
http://www.intertwingly.net/wiki/pie/RestEchoApiDiscuss
and echoing them here. I will break each one off into it's own email.
First off:


How should authenication and security be handled? Are Basic and Digest
good enough?


	Thanks,
	-joe

-- 
http://BitWorking.org
http://WellFormedWeb.org

Follow-Ups:
- RE: Authentication
  - From: Nelson Minar

Prev by Date: Re: created, issued, modified [Re: comments on Atom 0.2]
Next by Date: RE: Authentication
Previous by thread: RE: Authentication
Next by thread: RE: Authentication
Index(es):
- Date
- Thread