lj_dev: Digest auth for RSS

Brad Fitzpatrick (

bradfitz) wrote in

lj_dev,
@ 2004-03-10 09:40:00

Digest auth for RSS
Aparently this was never announced:

http://www.livejournal.com/users/USER/data/rss?auth=digest

Get RSS feeds (including protected entries) by authenticating with HTTP Digest Auth. Good for aggregators.

snej mentioned this should be in a LINK tag or something, but we don't want to always link to this.

Maybe a comment at the top of the XML document? That's not right, though.

Any recommendations?
<link> both, perhaps?

(Post a new comment)

ex_snej373
2004-03-10 09:46 am UTC (link)

Well, I mentioned that newsreaders wouldn't be able to automatically discover it since it's not in the LINK tag on the journal page. However, I don't really think it should be, since it requires a login, which (a) most aggregators don't support (I think), and (b) won't work for people who don't have LJ accounts. If both versions of the feed were LINKed to, it would probably just confuse the newsreaders.

Is it really necessary to use a separate URL for this? Couldn't the regular URL just accept an optional auth header and return protected entries if it was supplied? That way it would continue to work as normal, but newsreaders that new to supply authentication could get the protected posts.

I know this doesn't match the usual scenario for auth, where the server rejects the request as Unauthorized unless the auth header exists, which then triggers the client to ask the user for credentials. But there's nothing saying the client can't provide the credentials without such prompting.

(Reply to this) (Thread)

	evan 2004-03-10 09:49 am UTC (link)
	It looks like it's challenge-response based, where the challenge is sent along with the "unauthorized" page. (see section 3.2) (Reply to this) (Parent)(Thread)

	suppafly 2004-03-10 01:05 pm UTC (link)
	It looks like it's challenge-response based, where the challenge is sent along with the "unauthorized" page. (see section 3.2) So couldn't the "unauthorized" page just be the normal page, that way if people didn't login, they'd get the normal page anyway and only one link could be used? (Reply to this) (Parent)(Thread)

	bradfitz 2004-03-10 01:08 pm UTC (link)
	HTTP status code would be wrong. (Reply to this) (Parent)

	jamies 2004-03-10 10:56 am UTC (link)
	This is great- there are people I know who have journals on their own site, not via LJ. They don't want to get LJ accounts to view mine. So if I could autenticate these users on my site, I can now RSS out my protected entries for them to view... (Reply to this)

theorb
2004-03-10 11:47 am UTC (link)

I agree that a comment at the top of the XML document isn't "right", but it's also not going to confuse anything into trying to fetch it, then falling over in a hugely ugly way. Now, there's a good argument to be made that that's the fault of the client, not LJ, but do you really want to make that argument to everybody who sees that their client works, except when they point it at LJ?

Perhaps, if not that, you can put it in a link with a type (IIRC here) that most aggregators won't follow without user intervention?

(Reply to this)

avva
2004-03-10 01:27 pm UTC (link)

We should just put it in a FAQ or something. Non-LJ users don't need to know that URL, it won't do anything for them. LJ users who want to get their friends' journals via RSS with auth will hopefully read the syndication part of the FAQ and see that.

I don't think putting the auth URL in a link is a good idea, because many or most aggregators out there don't understand digest auth and will likely fail to use that URL, possibly giving their users a misleading error message.

(Reply to this)

	crschmidt 2004-03-18 09:26 am UTC (link)
	Could at least put it in /bots/? (Reply to this)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs