Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specific allowances for feeds? #6

Open
fluffy-critter opened this issue Dec 4, 2018 · 2 comments
Open

Specific allowances for feeds? #6

fluffy-critter opened this issue Dec 4, 2018 · 2 comments

Comments

@fluffy-critter
Copy link

I’m pretty interested in AutoAuth for a thing I want to build but I feel like it doesn’t quite get what’s needed for feeds (Atom in particular). Atom feeds are often served up through a CDN-type proxy such as FeedBurner or through a translating WebSub proxy like Superfeedr, which makes header-only access control not robust enough.

I feel like there should be an allowance for a link tag with appropriate rel attributes to specify where to receive additional content that would be authorized, both at a feed and an item level. This would particularly help with the WebSub use case, where the push server is only sending the changed entries to the reader, and the reader may have multiple subscribers attached to it with differing access levels.

I’ve been sort of working on some very rough proposals for authenticated feeds in an Atom and WebSub context over at https://beesbuzz.biz/blog/4594-The-authenticated-Atom-musings-continue and while that is far from finalized (in particular I’m leaning towards making all those attributes <link rel>s so it doesn’t need a new XML namespace and can also work with RSS and h-feed) it feels like it runs counter to purely header-based auth negotiation, especially in the WebSub case.

There’s probably something I’ve missed though!
@sknebel
Copy link
Owner

sknebel commented Dec 8, 2018

Hi, thanks for taking a look at AutoAuth!

I'm not sure I understand what you are proposing, is it these things?

a) A way to discover an alternative to a feed that is authenticated through rel-links? (so you have a CDN-hosted feed for normal subscribers, and only handle authenticated requests yourself without the CDN needing to understand any of it?)

b) A way to put a placeholder for a private post in a feed, so authenticated clients can go there and fetch the post while unauthenticated ones ignore it?

I also made some notes about WebSub in #8, interested in feedback there too!

@fluffy-critter
Copy link
Author

Pretty close! A) is what I’m proposing as an addition to AutoAuth. B would be an addition to RSS/Atom/h-feed which probably doesn’t belong in AutoAuth itself but it’s a use case which needs to be considered as part of the flow for A.

@sknebel sknebel mentioned this issue Dec 8, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fluffy-critter @sknebel