sknebel
commented
5 years ago Hi, thanks for taking a look at AutoAuth!
I'm not sure I understand what you are proposing, is it these things?
a) A way to discover an alternative to a feed that is authenticated through rel-links? (so you have a CDN-hosted feed for normal subscribers, and only handle authenticated requests yourself without the CDN needing to understand any of it?)
b) A way to put a placeholder for a private post in a feed, so authenticated clients can go there and fetch the post while unauthenticated ones ignore it?
I also made some notes about WebSub in #8, interested in feedback there too!
fluffy-critter
I’m pretty interested in AutoAuth for a thing I want to build but I feel like it doesn’t quite get what’s needed for feeds (Atom in particular). Atom feeds are often served up through a CDN-type proxy such as FeedBurner or through a translating WebSub proxy like Superfeedr, which makes header-only access control not robust enough.
I feel like there should be an allowance for a link tag with appropriate
relattributes to specify where to receive additional content that would be authorized, both at a feed and an item level. This would particularly help with the WebSub use case, where the push server is only sending the changed entries to the reader, and the reader may have multiple subscribers attached to it with differing access levels.I’ve been sort of working on some very rough proposals for authenticated feeds in an Atom and WebSub context over at https://beesbuzz.biz/blog/4594-The-authenticated-Atom-musings-continue and while that is far from finalized (in particular I’m leaning towards making all those attributes
<link rel>s so it doesn’t need a new XML namespace and can also work with RSS and h-feed) it feels like it runs counter to purely header-based auth negotiation, especially in the WebSub case.There’s probably something I’ve missed though!