You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: erik[at]tiq.com [Submitted to the original trac issue database at 1.38pm, Friday, 16th December 2005]
There's a note on the wiki REST page about using digest authentication. This would mean that the passwords of all the users will be saved cleartext in the database, but all the authentication made by clients would be in "encrypted form". The encryption is simplified as HASH(username, sharedsecret, randomdata).
To make this happen there should be some example code in the wiki.
[http://www.ietf.org/rfc/rfc2617.txt RFC specs for digest http authetication]
Author: tom[at]tom-carden.co.uk [Added to the original trac issue at 11.39am, Tuesday, 20th December 2005]
For API authentication, we should look at the work done for other REST standards like Atom, because they were made with one eye on how clients could implement things today.
Author: tom[at]compton.nu [Added to the original trac issue at 11.38am, Sunday, 19th August 2007]
I think using SSL is a lot simpler - using digest authentication would force everybody to change their passwords apart from anything else as we don't currently have a cleartext version of anybody's passwords.
Author: TomH [Added to the original trac issue at 8.53pm, Wednesday, 24th August 2011]
Web site logins are now SSL encrypted and we have OAuth for the API so there is no need to reveal the actual passwords there if you don't want to.
Digest authentication would require storing passwords in the clear which I absolutely don't want to do. OAuth is the preferred authentication method for the API anyway.
Reporter: erik[at]tiq.com
[Submitted to the original trac issue database at 1.38pm, Friday, 16th December 2005]
There's a note on the wiki REST page about using digest authentication. This would mean that the passwords of all the users will be saved cleartext in the database, but all the authentication made by clients would be in "encrypted form". The encryption is simplified as HASH(username, sharedsecret, randomdata).
To make this happen there should be some example code in the wiki.
The text was updated successfully, but these errors were encountered: