HTTP authentication API NG
Motivation
org.clazzes.login.http is a the HTTP based implementation of DomainPasswordLoginService.
While the old HTTP authentication request is satisfying for user/password checks, new optional features like group membership queries require new handshakes for the HTTP backend API.
This document speficies the next-gen HTTP authentication API.
Basic Request pattern
A request to an authentication URL is a HTTPS POST request like this:
Host: auth.my.domain
Content-Type: application/x-www-form-urlencoded
[op=<op>&]param1=<value1>¶m2=<value2>
<op> is the operation requested, usually the name of the method in DomainPasswordLoginService.java.
To provide backwards compatibility, the op parameter is optional and defaults to tryLogin.
See below for examples.
Basic Response pattern
Every respond to an authentication request is answered with a HTTP response with
and on of the following status codes:
403 Forbidden - the login is invalid or the operation is not permitted
406 Not Acceptable - too many unsuccessful authentications, or other reason to suspect a brute force attack
The response body must not be empty, it's content is specified differently for each operation.
The server may enforce the use of HTTP basic authentication in order to keep offending servers away from dictionary attacks.
Authentication operation: tryLogin
Request body (new format, preferred):
Request body in old format, supported for backward compatibility reasons:
Response body:
Non-empty information text encoded in UTF-8, not more than 1024 bytes. The message may go into logfiles and should not be displayed to the user.