Decentralized Identity and Authentication System

Using DIAS in HTTP authentication phase

In this document, we will present how the HTTP 'Basic' authentication scheme may be adapted to be used with DIAS.

HTTP authentication headers from the server

HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="Foo"
X-DIAS-Agent: foo@website.com/auth

The additional 'X-DIAS-Agent' HTTP header contains the JID of the DIAS agent to which the ticket request should be sent.

HTTP credential information from the client

The client then follows the DIAS procedure by sending a ticket request to the Agent, which will generate one and send it back to the client. Once the client has the ticket, they just provide it as a normal password in regular 'Basic' authentication (see RFC 2617), with an empty username.

Comments

Note that this approach is compatible with the legacy user/password mechanism, allowing people with such an account to use it as well.

Moreover, it needs nearly no modification to the HTTP clients, except that they should handle the X-DIAS-Agent HTTP header, at least by displaying it to the user. In order to be even more robust to clients that do not handle the header, a website author may decide to include the JID in the realm, since most web browsers show it to the user. It is also possible to put the information in the 401 document.

Optionally, the HTTP client may decide to initiate a specific input dialog when there is an X-DIAS-Agent header. For example it can display VCard information about the advertised agent to discourage agent spoofing. It can also show a unique field to provide the ticket, instead of the two usual ones (login and password).