668
edits
Changes
→BrowserID + REST
[[Image:BrowserIDREST.png|500px]]
We standardize a point of authentication, <tt>/auth</tt>, which exchanges an assertion for an OAuth a MAC HTTP Auth token and secret, valid for some session duration (30 minutes?). Then, subsequent API calls are made with an OAuth HTTP MAC Auth signature header using that token and secret. (This is similar to OAuth in so-called 2-legged OAuth mode, but is now being standardized as its own HTTP Auth method. ) Thus, apart from the new API call to <tt>/auth</tt>, a REST API does not need to change. Only its authorization header is affected.
In order to make it easier for clients to discover our authentication mechanism, unauthenticated API calls should return
401 Unauthorized
WWW-Authenticate: OAuthBrowserID+VEP MAC url="/auth"
