Version 2 (modified by y.oiwa@…, 10 years ago) (diff) |
---|
HTTP Authentication Extensions for Interactive Clients
The Internet-Draft
http://tools.ietf.org/html/draft-oiwa-httpbis-auth-extension-00
Previous versions are available as draft-oiwa-http-auth-extension
- It was designed for HTTP Mutual authentication at first, but it is generic to every interactive authentication scheme on HTTP.
Overview
- Fill gaps between current HTTP authentication framework and Web application needs
- Concurrent support for guest (unauthenticated) users on the same page as for authenticated users (optional authentication)
- Log-out
- Session timeout
- Customized pages for log-in/log-out interface (incl. announcements, warnings or advertisement)
- etc.
- Easily-understandable API used from Web applications
- Optional authentication: configure it to Web server and it's all OK
- Others: just set an Authentication-Control: HTTP header and it's all
- Easy deployment: the header can be configured statically
- no CGIs required on common cases
- carefully designed so that these headers will be ignored whenever not applicable or meaningful
- Easy deployment: the header can be configured statically
- Not harmful for non-Web applications, too: base authn. semantics is not changed, so just ignore the header is enough
Use cases
See the Section 5 of the draft for information on how to use this extension.
Implementations
Reference implementations for Mutual authentication, available on project homepage, implements these extensions, too.