In this document, we will present how the HTTP 'Basic' authentication scheme may be adapted to be used with DIAS.
HTTP authentication headers from the server
HTTP/1.1 401 Authorization Required WWW-Authenticate: Basic realm="Foo" X-DIAS-Agent: foo@website.com/auth
The additional 'X-DIAS-Agent' HTTP header contains the JID of the DIAS agent to which the ticket request should be sent.
HTTP credential information from the client
The client then follows the DIAS procedure by sending a ticket request to the Agent, which will generate one and send it back to the client. Once the client has the ticket, they just provide it as a normal password in regular 'Basic' authentication (see RFC 2617), with an empty username.
Comments
Note that this approach is compatible with the legacy user/password mechanism, allowing people with such an account to use it as well.
Moreover, it needs nearly no modification to the HTTP clients, except
that they should handle the X-DIAS-Agent HTTP header, at least
by displaying it to the user. In order to be even more robust to clients
that do not handle the header, a website author may decide to include the
JID in the realm, since most web browsers show it to the user. It is also
possible to put the information in the 401 document.
Optionally, the HTTP client may decide to initiate a specific input dialog
when there is an X-DIAS-Agent header. For example it can display
VCard information about the advertised agent to discourage agent spoofing. It
can also show a unique field to provide the ticket, instead of the two usual
ones (login and password).