AtomAPI and Authentication

Joe Gregorio and Mark Pilgrim have been working on a new implementation of the Atom API, and have come up with a Digest-like authentication mechanism for it. Joe describes it here; here’s a small part of the post:

  1. Triggered an auth by rejecting a request with an HTTP status code of 401.
  2. The server response includes an Authenticate: header that includes Atom as an authentication scheme.
  3. The client then sends an Authorization: header with the scheme of Atom with all the Digest authentication information going into X-Atom-Authorization: header.
  4. With every request the server sends back an X-Atom-Authentication-Info: header with the ‘nextnonce’.

Note that this now uses the extensibility of the HTTP authentication scheme. 

Well, ok. But how about this:

1. Change “Atom” to “Digest” in the WWW-Authenticate header, and make a couple of other trivial changes to this response.

2. Change X-Atom-Authentication to Authorization, with appropriate trivial changes.

Poof! You’re using digest authentication. Now I know Mark and Joe thought about this, and I was involved in a long painful discussion talking about this. But here’s my point: if you have enough control over your server to implement this “Atom-authentication” mechanism, then you have enough control to implement Digest itself. With a huge added benefit that many client toolkits understand digest out of the box.

My guess is this – there is a way to implement this for Apache in code, rather than using the .htaccess built-in support. If you can implement atom-auth, can’t you just modify your code to implement Digest?

And I even have a Digest implementation for .NET built, for folks that can’t (or don’t want to) turn on IIS intrinsic support for Digest.

We’re so close. Let’s do this right. I bet if there was an implementation built for Apache that didn’t require .htaccess or httpd.conf access, then some of the nay-sayers might get on board. Someone care to try it? I did my part – my .NET/IIS implementation is available, free, for anyone to use today…

17 thoughts on “AtomAPI and Authentication

  1. Greg Reinacker

    Ken, even if you turn off all authentication within Apache? With IIS, if you turn off all authentication mechanisms besides anonymous, then all of the headers will get passed through. No such luck on Apache?

    Reply
  2. Ken MacLeod

    The requirement is the ability to run in a “hosted” environment where one typically does not have access to the web server configuration, either globally (httpd.conf) or locally (.htaccess). It is for those situations I’m creating the test case showing that, yes, by default Apache does not pass those headers thru.

    Reply
  3. Joe

    Greg,

    Yeah, Apache can pass the Digest parameters to a CGI in only one of two cases: the CGI is running as a module ala mod_perl, or Apache has be recompiled with a setting that tells it pass Auth headers to a CGI.

    The scheme we came up with can be implemented in a CGI script with no .htaccss or http.conf access, which is exactly how Mark did his server side implementation.

    Reply
  4. Sergio

    It seems all implementations were made in Apache. Well, I’m trying to make it in IIS and I used your article to start my digest module. Do you have ideas on how to change the hash algorithm from MD5 to SHA1 ?

    Reply
  5. Greg Reinacker

    Hi Sergio, it should be pretty trivial to change the hash algorithm. In the GetMD5HashBinHex function in the sample, just switch from using MD5CryptoServiceProvider to SHA1CryptoServiceProvider. Keep us posted how it goes!

    Reply
  6. Greg Reinacker

    Joe, ok…not knowing anything about Apache, I guess I can’t argue any more. :-) However, it seems a shame that an authentication protocol is being designed around a limitation in one particular web server. Don’t you think?

    Reply
  7. Sergio

    I didn’t make myself clear : I do know how to hack GetMD5HashBinHex. What I meant is how to change the response from IIS. Am I saying something really stupid ?

    Reply
  8. Joe

    Greg,

    I don’t know enough about IIS in the wild, is it common for hosting sites to turn all authentication but anonymous off?

    BTW, I think it’s awesome that you’re releasing a .Net implemenation of Digest! I think the more we work to raise awareness of the lack of good authentication in most hosting situations, the faster the situation will improve.

    Reply
  9. Greg Reinacker

    Joe, I think it’s fairly common. I used to be hosted at Innerhost and later Interland, and in both cases I was able to get other authentication modes turned off on certain directories and get my implementation working there…

    Reply
  10. Sergio

    Hi, Greg, about IIS/SHA1 issue : if I change the algorithm to SHA1 the server returns a 500 Error. Try this : inside EndRequest change algorithm to SHA (or SHA1, I tried both). You cannot login !

    Reply
  11. Sergio

    Oh, the 500 error you get if you code a HTTPWebRequest and pass credentials to SHA1 Digest. The 500 says ‘SHA1 not supported’

    Reply
  12. Greg Reinacker

    Keep in mind that we’re completely bypassing the IIS digest implementation, so info you find there isn’t necessarily relevant.

    Hmm…a quick read of RFC 2617 indicates that MD5 is the only supported hash algorithm. So that explains why clients wouldn’t understand it with SHA1.

    As to why you’re getting a server error, I’m guessing it’s configuration-related…you’d need to run in the debugger to figure out what’s going on. I’d do it, but unfortunately I don’t have time at the moment… :-(

    Reply
  13. Kevin Burton

    In Apache2 things are much easier to support. Digest authentication is an integral part of the build now.

    One downside is that some packages don’t enable digest by support nor do they enable .htaccess.

    I do agree however that if you can control X-Atom-Authenticated (or whatever header it is) that you can use digest authentication and probably should.

    Most decent providers will allow you to tweak .htaccess before they give you access to some servlet or CGI impl.

    Another thing to note is that Java does a pretty damn good job of supporting Digest auth if you know what you are doing.

    Kevin

    Reply

Leave a Reply