[foaf-protocols] playing with a webid site interceptor for restful websites

peter williams home_pw at msn.com
Sat Mar 12 17:32:04 CET 2011

http://yorkporc.files.wordpress.com/2011/03/image42.png show a debugging
screen for webid project purposes.


The scenario is one in which an https app has failed to send an
www-authorization header, and is being challenged by the interceptor for the
resource. On challenge, the client app first pings an IDP site to get an
identity assertion token, then pings the RP-STS site to translate that into
contents to be presented in the www-authorization header. This is duly
presented in response to the original challenge seeking to address the
interceptor's authn/authz policy.


Note the realm; being a URL. (ok, its always been possible for it to be an
URI.so what?) Wondering about applying that in an https client and its webid
context. Could one imagine this inducing a https client app to now ALSO
present webid, if the realm == a user's webid, where == is a match rule?


If Im going anyways to go to an IDP site to get the first token of a chain
of tokens (implementing Lampson's handoff rule, in their authentication
logic), perhaps this is an indicator to release the webid cert, should it be


This practice would extend essentially the token chain, at the outset, being
a handoff(client cert, IDP token) statement prefix in the seq of statements.
The final restful webapp never sees any but the last statement in the chain,
of course.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20110312/75c57e42/attachment.htm 

More information about the foaf-protocols mailing list