“Atom Authentication” sucks.

While the Atom Publishing Protocol leaves implementations free to use whatever method of authentication they please, historical circumstances have associated the Protocol with an obscure authentication method that has neither a name nor a specification.

I refer of course to the method described in this article. I hesitate to call the method Atom Authentication (because that suggests a closer association with the Protocol than exists), but I can’t come up with anything better.

The idea is sound - it functions as designed and has a few advantages over Digest authentication (mostly for people stuck with crappy hosts). The algorithm is well described in WS-Security’s UsernameToken profile (which “Atom Authentication” is based on). The general form of the challenge and response are described in the Mark Pilgrim article.

But common practice and the article have diverged. While the article (and Sam Ruby) produces an ASCII nonce and sticks it straight in the X-WSSE header, all the client code I’ve seen base64s the nonce before it goes in the header, and servers seem to require it. I can’t find this specified anywhere.

This sucks. Don’t use “Atom Authentication” unless you absolutely must, and if you absolutely must please write a proper spec first.

#atom-authentication-sucks ┄ 20 o’clock 23 may 2007 ┄
write a reply

this editor supports Markdown.