Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#567 closed enhancement (fixed)

Make authentication modular in http-client

Reported by: sjamaan Owned by: sjamaan
Priority: major Milestone:
Component: extensions Version:
Keywords: authentication, authorization, http-client, intarweb Cc:
Estimated difficulty:

Description

Currently basic and digest auth are hardcoded in http-client. As Thomas Hintz pointed out, there are services like Amazon S3 that have their own homebrew (and less secure...) authentication system which re-uses the "authorization" header with a custom scheme.

It would be great if the authentication schemes were extensible so we can cope with those custom schemes without having to add them to a huge pile inside http-client itself. This is not desirable because there may be many of these one-off systems out there, and they're all nonstandard and may even change and disappear over time.

Possibly some of the standard auth stuff can be moved inside intarweb too. Not sure yet.

Change History (2)

comment:1 Changed 10 years ago by sjamaan

Resolution: fixed
Status: newclosed

Ugh. The authenticators need to know too much about the request/response handling because digest auth is so annoying.

At least it's in now. It really really needs to be cleaned up before it can be considered useful for extension by other eggs. At least now you *can* extend it if you must, if you're brave enough to read the source and figure out how to ;)

comment:2 Changed 10 years ago by sjamaan

Turns out Amazon S3 doesn't even implement RFC 2617 properly; it doesn't send 401 responses; you need to pass the authentication stuff right along with the initial request. If you don't, it just 403s on you.

Amazon, a bunch of professional fools.

Amazon, for all your botched standards.

Amazon, what were they thinking?

Note: See TracTickets for help on using tickets.