WEIS Protocol, Version 1.0 (Draft)

Feb. 24, 2006
Kazuho Oku


WEIS (Web Identity Syndication) is a web-browser-based identity syndication protocol that allows web applications to syndicate authentication credentials with limited permissions to other web applications. The protocol is based on existing, widely-deployed standards: HTTP Authentication [HTTPAUTH] and HTML forms [HTML40].

This document describes version 1.0 of the WEIS Protocol.

Initial targets of the protocol are RSS [RSS] / Atom [ATOM] feeds and Atom Publish Protocol [ATOMPUB]. By implementing the WEIS protocol, websites with login forms such as social networking services can feed RSS to web-based RSS aggregators. Also, by using WEIS together with Atom Publishing Protocol, websites can post information to each other.


WEIS Consumer
A web application that requests and uses authentication credentials to access a secured resource of another web application.
WEIS Provider
A web application that discloses authentication credentials to WEIS consumers, and that provides access to secured resources by the consumers.


WEIS is a discovery and credential transfer protocol used for accessing web resources protected using HTTP Authentication. Syndication of the web identity consists of three steps, 1. WEIS Discovery, 2. WEIS Request, and 3. WEIS Response.

WEIS Discovery

Whenever returning a 401 HTTP response, WEIS Providers should include a X-WEIS response header. The header indicates the URL to which the Consumers may request credentials.

Example 1. WEIS Discovery
GET /rss HTTP/1.0
Host: provider.example.com

HTTP/1.0 401 Authorization Required
WWW-Authenticate: basic realm="rss"
X-WEIS: http://provider.example.com/rss_auth

WEIS Request

To obtain authentication credentials, WEIS Consumers may redirect users to the URL given by the X-WEIS response header, with the following CGI parameters.

  • ret
  • - a WEIS Consumer URL to which the WEIS Provider should send the result to
  • arg
  • - an opaque value used by the Consumer web application

    Example 2. WEIS Request
    GET /rss_auth?ret=http://consumer.example.net/subscribe&arg=60d8776016674449
    Host: provider.example.com

    WEIS Response

    Once the user's identity has been ascertained, WEIS providers may send to the WEIS Consumer his / her authentication credentials that permits access to the resource. The response should be a browser redirection using HTTP POST method to the URL specified by the ret parameter of the corresponding WEIS request, with the following CGI parameters.

  • mode
  • - declaration of the response status, should be "ok"
  • arg
  • - an opaque value specified by the WEIS Request
  • user
  • - username to access the resource
  • password
  • - password to access the resource

    Note that a WEIS Provider is not required to send back credentials with full permissions. Instead, a general advise is to send a username / password specific to the resource to be shared. It is also be a good practice to send different usernames / passwords to different WEIS Consumers. By doing so, WEIS Providers may later on revoke access permissions to some of the WEIS Consumers yet keeping others accessible.

    Example 3. WEIS OK Response
    <form action="http://consumer.example.net/subscribe" method="POST">
      <input type="hidden" name="mode" value="ok">
      <input type="hidden" name="arg" value="60d8776016674449">
      <input type="hidden" name="user" value="alice-rss-consumer.example.net">
      <input type="hidden" name="pass" value="5Qon31Xr">
      <noscript><input type="submit" value="Click to Continue"></noscript>
    <script type="text/javascript">document.forms[0].submit()</script>

    WEIS Providers may refuse to send authentication credentials to a WEIS Consumer. If this is the case, the providers should send a cancel response to the consumer with the following CGI parameters.

  • mode
  • - declaration of the response status, should be "cancel"
  • arg
  • - an opaque value specified in the WEIS request

    Example 4. WEIS Cancel Response
    HTTP/1.0 302 Moved Temporarily
    Location: http://consumer.example.net/subscribe?mode=cancel&arg=60d8776016674449

    There is no way for WEIS Consumers to determine the cause of a cancel response. It is up to the WEIS Providers to display the user why the transfer has been cancelled.

    Security Issues

    Care should be taken by WEIS Consumers to deny the receipt of invalid authentication credentials from malicious WEIS Providers. To prevent such attacks, it is recommended to confirm the user upon receiving a WEIS Response. It would also be a good idea to sign and verify the CGI parameters using message authentication codes (namely HMACs [HMAC]).


    RFC2617: HTTP Authentication: Basic and Digest Access Authentication, Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Sink, E. and L. Stewart, June 1999
    HTML 4.01 Specification, Ragget, D., Le Hors, A., Jacobs, I., December 1999
    RSS 2.0 Specification, Winer, Dave., August 2002
    RFC4287: The Atom Syndication Format, Nottingham, M., Sayre, R., December 2005
    The Atom Publishing Protocol, Gregorio, J., de hOra, B., Feburary, 2006
    RFC2104: HMAC: Keyed-Hashing for Message Authentication, Krawczyk, H., Bellare, M., Canetti, R., Feburary 1997

    Copyright © 2006 Cybozu Labs, Inc. All rights reserved.