HTTP Authentication

From W3C XForms Group Wiki (Public)

History

Early XForms requirements documents called for authentication support. Currently, user interfaces for authentication in web browsers are separate from the page, and (supposedly) easily recognizable as bona fide requests. The user is assured that the form author does not have access to the password.

Some had proposed authentication binding that would allow the form author to bind form controls to authentication fields and then use CSS for styling. Others objected that this might give form authors access to the authentication data, or might cause users confusion since the browser-controlled look-and-feel was no longer present.

For XForms 1.0, we decided to leave authentication to the user agent.

Current State

XForms 1.1 provides the following features which can be used to enhance authentication.

  • ability to set and get headers in submission and submission responses
  • the ability to compute HMAC using a variety of algorithms
  • the ability to change the submission URI dynamically

For example, given the ability to alter the submission resource URI (with the submission/resource binding), we can support basic and digest authentication with HTTP as it allows user@pass in the URL. Similarly, for user agents that support FTP, the user@pass URL notation also works.

XForms 1.1 does not offer any syntactic sugar for combining the UI operations and the HMAC or other operations, nor any guidance to form authors.

Going Forward

Now may be a good time to re-examine the XForms 1.0 decision, and look at authentication binding again.

Questions

  • Do we allow binding only to the authentication schemes that are expressible in the URI such as HTTP, FTP etc?
  • Is this a request for syntactic sugar over the URL resource binding only?
  • Do we need a way to prevent the form author from reading the authentication information, or is that no longer a concern?
  • What about authentication schemes that require more than username/password (domain, for example), especially if the form author isn't allowed to know it?
  • Do we need to specify authentication mechanisms themselves or is just a binding to provide named info enough?
  • ...

References