views:

205

answers:

1

I want to bounce an idea around. I have been building web services and web applications for over a decade now, and have more recently been focusing on providing as RESTful a service as possible (eg. using the same URI for both browsers and API clients, but having them modify accept: to decide if to send XML or XHTML).

One big sticking point with using web browsers with RESTful services has been keeping track of user state on private methods. The best way to go about it is for the client to provide HTTP auth token, but not many customers or users like being prompted by a HTTP auth box in their browser, especially when they are used to web-form based login.

HTTP auth also has other issues such as poor expiry support, but in other areas is a lot better than cookie sessions.

My idea is to allow web forms to submit HTTP auth information, by doing the following:

  • Provide 2 new HTML input form types, namely type='username' and type='auth'
  • When these types are included in a form, the browser will send the values along with the request to the form URI as an HTTP authentication field rather than as POST or GET values.

This can mean that we can have both RESTful user authentication, but without the standard browser login boxes. I have prototyped a dirty Firefox plugin that sort of does this, but currently only supporting BASIC auth (it would eventually work with Digest).

The problem that I can see is if this idea works well, having it standardized and ratified so that all browsers support it along with the standard ugly boxes.

Anybody have any feedback on this idea, or know of any similar effort?

I have an upcoming project that is an intranet and I am almost tempted to finish the plugin (along with client SSL cert support) and use it there as a test.

I couldn't find anything similar, other than a couple of small projects where developers were using Javascript to read in username and password from a form and then using them as the http auth token in an XMLHTTPRequest

Further - Next Steps

After a bunch of research on this, I have decided to take the 1999 template as the basis for a new proposal to submit to the WHATWG for HTML5. The main focal points should be:

  • RESTful
  • User friendly
  • Secure (ie. support Digest, not basic)
  • Backwards compatible (ie. wont break previous version)
  • Complete prototype
  • Solicit more feedback

If anybody else (thanks for the pointers Julian) has anything to add in terms of comments or feedback or any other consideration, please let me know. Once I have this lined up I will blog about it.

Stackoverflow may be a good venue for these types of ideas and proposals..

Stackoverflow Question

How can I bring more attention to this here on Stackoverflow - do most people browse with tags?

+3  A: 

This topic got recently renewed interest in the W3C HTML Working Group (see http://www.w3.org/html/wg/tracker/issues/13), the WHAT WG and the IETF (see Internet-Draft http://tools.ietf.org/html/draft-broyer-http-cookie-auth-00).

I recommend following the IETF discussion (mailing list: http://lists.osafoundation.org/pipermail/ietf-http-auth/).

Julian Reschke
Excellent - thanks for that. I notice that the cookie proposal you linked to isn't a very RESTful solution. What seems far more appropriate is this proposal from 1999:http://www.w3.org/TR/1999/NOTE-authentform-19990203which is more along the lines of what I described above (ie. new HTML elements
nikcub
I am now trying to find out what happen to that proposal 10 years ago. I believe there is more of a need for it today though, esp considering the more recent emphasis on REST based architectures which are compatible with any type of client (not just browsers). thanks again.
nikcub
I'll leave the discussion about being RESTful to Roy F. -- the prpblem with the orig. proposal mainly is getting it deployed, and getting the browser UI both attractive and secure. These points are avoided by T. Broyer's proposal.
Julian Reschke
I am going to adapt the earlier proposal and re-submit it to WHATWG for HTML5. It seems that every time some similar proposal is submitted, it gets briefly discussed and then nothing really happens. I think having a prototype might move things along a bit better.
nikcub
Actually, I'd recommend joining the W3C HTML WG instead (see http://www.w3.org/html/wg/#who).
Julian Reschke