Zyre

I have another use-case that will be tricky to solve. Given a website using SSL and authenticating through an http session (i.e. a login form that subsequently sets a cookie in the client, the cookie is a session key).

Now I want to add RestMS support to the site. To properly support 'long poll', I'll expose Zyre directly to the internet on it's own IP address, hence a subdomain of the main website, like restms.mycompany.com

I do not want the browser to pop-up an auth dialog when opening an xmlhttprequest in the browser to Zyre. So my client-side javascript will pull the value of the cookie from the window object and send it in the http request to Zyre.

in this case, Zyre will get an HTTP request that does not have any standard authentication headers. The cookie value should get passed as a Cookie Header, or maybe some non-standard header.

How can Zyre handle this case? It would need to know in advance a list of possible authentication methods, including 'use this header as a token' or 'use this cookie as a token'. And then it would have to pass the token in an amqp message to some external authenticator service for verification.

Should there be a distinct authentication URL that clients could use to get a cookie from Zyre, after submitting 'standard' login data (userid, password, application-token)?

Anyway.. another use-case to think about.

Naturally if I'm talking to Zyre using a non-browser client (like Python) its easy to explicitly pass authentication information in http digest form. I am wondering if when using http-digest, will an external authenticator service also have to get the challenge token from Zyre, or will it need to give Zyre the token to use.. I haven't looked at digest auth in a while to see how well that would work.

-B