4 Protocol Examples
This example illustrates how a user obtains access to a restricted resource using the Passport SSI Version 1.4 Protocol.

Figure 5: How a user obtains access to a restricted resource
The user attempts to navigate to a site that requires authentication. The browser issues the following request:
GET http://www.msn.com/passport/passport_default.asp HTTP/1.1
The partner resource requires authentication and responds with the following Partner Server Challenge message:
HTTP/1.1 302 Redirect Location : http://login.passport.com/login.srf?param1¶m2 WWW-Authenticate : Passport1.4 param1,param2
The Passport SSI Version 1.4 Protocol client recognizes this response as a Partner Server Challenge message and proceeds with the client/server exchange, first issuing a Token Request message with an empty token:
GET /login2.srf HTTP/1.1 Host : login.passport.com Authorization: Passport1.4 tname=,OrgVerb=GET,OrgUrl=http://www.msn.com/passport/passport_default.asp, param1,param2
The client has no authentication token. Therefore, the authentication server responds with an Authentication Server Challenge message:
HTTP/1.1 401 Unauthorized WWW-Authenticate : Passport1.4 da-status=failed,srealm=Passport.NET, ts=0, param3
The client recognizes that it has to collect credentials from the user. It acknowledges this to the client application, which calls the appropriate dialog box. The user enters the sign-in name, "someone@example.com", and password, "goalkeeper", and then clicks OK.
The client sends these credentials in a Sign-in Request message over Secure Sockets Layer (SSL):
GET /login2.srf HTTP/1.1 Host : login.passport.com Authorization: Passport1.4 sign-in=rusty%40hotmail.com, pwd=goalkeeper,OrgVerb=GET, OrgUrl=http://www.msn.com/passport/passport_default.asp,param1,param2
The authentication server responds over SSL with the Token Response message:
HTTP/1.1 200 OK Authentication-Info : Passport1.4 da-status=success,tname=PPAuth,from-PP=1puV5BFuLD, ru=http://www.msn.com/passport/passport_default.asp Set-Cookie : PPAuth = "da-auth blob in passport.com" ;
The client recognizes the token contained in the from-PP parameter and stores it to be sent to the partner server. The client uses this to retry the request at the return URL in a First Authenticated Request message:
GET /passport/passport_default.asp HTTP/1.1 Host: www.msn.com Authorization: Passport1.4 from-PP=1puV5BFuLD
The server running at this URL recognizes the header in the request. Because this is the first authenticated request, it responds with a Set Token message:
HTTP/1.1 200 OK Authentication-Info : Passport1.4 tname=MSPAuth,tname=MSPProf Set-Cookie : MSPAuth = "auth blob in msn.com" ; Set-Cookie : MSPProf = "prof blob in msn.com" ;
The client recognizes and stores the token. The user is now authenticated to the site.