Feb. 24, 2006
Kazuho Oku
WEIS (Web Identity Syndication) is a web-browser-based identity syndication protocol that allows web applications to syndicate authentication credentials with limited permissions to other web applications. The protocol is based on existing, widely-deployed standards: HTTP Authentication [HTTPAUTH] and HTML forms [HTML40].
This document describes version 1.0 of the WEIS Protocol.
Initial targets of the protocol are RSS [RSS] / Atom [ATOM] feeds and Atom Publish Protocol [ATOMPUB]. By implementing the WEIS protocol, websites with login forms such as social networking services can feed RSS to web-based RSS aggregators. Also, by using WEIS together with Atom Publishing Protocol, websites can post information to each other.
WEIS is a discovery and credential transfer protocol used for accessing web resources protected using HTTP Authentication. Syndication of the web identity consists of three steps, 1. WEIS Discovery, 2. WEIS Request, and 3. WEIS Response.
Whenever returning a 401 HTTP response, WEIS Providers should include a X-WEIS response header. The header indicates the URL to which the Consumers may request credentials.
GET /rss HTTP/1.0
Host: provider.example.com
HTTP/1.0 401 Authorization Required
WWW-Authenticate: basic realm="rss"
X-WEIS: http://provider.example.com/rss_auth
To obtain authentication credentials, WEIS Consumers may redirect users to the URL given by the X-WEIS response header, with the following CGI parameters.
| - a WEIS Consumer URL to which the WEIS Provider should send the result to | |
| - an opaque value used by the Consumer web application |
GET /rss_auth?ret=http://consumer.example.net/subscribe&arg=60d8776016674449
Host: provider.example.com
Once the user's identity has been ascertained, WEIS providers may send to the WEIS Consumer his / her authentication credentials that permits access to the resource. The response should be a browser redirection using HTTP POST method to the URL specified by the ret parameter of the corresponding WEIS request, with the following CGI parameters.
| - declaration of the response status, should be "ok" | |
| - an opaque value specified by the WEIS Request | |
| - username to access the resource | |
| - password to access the resource |
Note that a WEIS Provider is not required to send back credentials with full permissions. Instead, a general advise is to send a username / password specific to the resource to be shared. It is also be a good practice to send different usernames / passwords to different WEIS Consumers. By doing so, WEIS Providers may later on revoke access permissions to some of the WEIS Consumers yet keeping others accessible.
<form action="http://consumer.example.net/subscribe" method="POST">
<input type="hidden" name="mode" value="ok">
<input type="hidden" name="arg" value="60d8776016674449">
<input type="hidden" name="user" value="alice-rss-consumer.example.net">
<input type="hidden" name="pass" value="5Qon31Xr">
<noscript><input type="submit" value="Click to Continue"></noscript>
</form>
<script type="text/javascript">document.forms[0].submit()</script>
WEIS Providers may refuse to send authentication credentials to a WEIS Consumer. If this is the case, the providers should send a cancel response to the consumer with the following CGI parameters.
| - declaration of the response status, should be "cancel" | |
| - an opaque value specified in the WEIS request |
HTTP/1.0 302 Moved Temporarily
Location: http://consumer.example.net/subscribe?mode=cancel&arg=60d8776016674449
There is no way for WEIS Consumers to determine the cause of a cancel response. It is up to the WEIS Providers to display the user why the transfer has been cancelled.
Care should be taken by WEIS Consumers to deny the receipt of invalid authentication credentials from malicious WEIS Providers. To prevent such attacks, it is recommended to confirm the user upon receiving a WEIS Response. It would also be a good idea to sign and verify the CGI parameters using message authentication codes (namely HMACs [HMAC]).