4 Protocol Examples

This example illustrates how a user obtains access to a restricted resource using the Passport SSI Version 1.4 Protocol.

How a user obtains access to a restricted resource

Figure 5: How a user obtains access to a restricted resource

  1. The user attempts to navigate to a site that requires authentication. The browser issues the following request:

     GET http://www.msn.com/passport/passport_default.asp HTTP/1.1
    
  2. The partner resource requires authentication and responds with the following Partner Server Challenge message:

     HTTP/1.1 302 Redirect
     Location : http://login.passport.com/login.srf?param1&param2
     WWW-Authenticate : Passport1.4
     param1,param2
    
  3. The Passport SSI Version 1.4 Protocol client recognizes this response as a Partner Server Challenge message and proceeds with the client/server exchange, first issuing a Token Request message with an empty token:

     GET /login2.srf HTTP/1.1
     Host : login.passport.com
     Authorization: Passport1.4
     tname=,OrgVerb=GET,OrgUrl=http://www.msn.com/passport/passport_default.asp,
     param1,param2
    
  4. The client has no authentication token. Therefore, the authentication server responds with an Authentication Server Challenge message:

     HTTP/1.1 401 Unauthorized
     WWW-Authenticate : Passport1.4
        da-status=failed,srealm=Passport.NET, ts=0, param3
        
    
  5. The client recognizes that it has to collect credentials from the user. It acknowledges this to the client application, which calls the appropriate dialog box. The user enters the sign-in name, "someone@example.com", and password, "goalkeeper", and then clicks OK.

    The client sends these credentials in a Sign-in Request message over Secure Sockets Layer (SSL):

     GET /login2.srf HTTP/1.1
     Host : login.passport.com
     Authorization: Passport1.4
     sign-in=rusty%40hotmail.com,
     pwd=goalkeeper,OrgVerb=GET,
     OrgUrl=http://www.msn.com/passport/passport_default.asp,param1,param2
    
  6. The authentication server responds over SSL with the Token Response message:

     HTTP/1.1 200 OK
     Authentication-Info : Passport1.4
        da-status=success,tname=PPAuth,from-PP=1puV5BFuLD,
        ru=http://www.msn.com/passport/passport_default.asp
           Set-Cookie : PPAuth = "da-auth blob in passport.com" ;
    
  7. The client recognizes the token contained in the from-PP parameter and stores it to be sent to the partner server. The client uses this to retry the request at the return URL in a First Authenticated Request message:

     GET /passport/passport_default.asp HTTP/1.1
     Host: www.msn.com
     Authorization: Passport1.4
        from-PP=1puV5BFuLD
    
  8. The server running at this URL recognizes the header in the request. Because this is the first authenticated request, it responds with a Set Token message:

     HTTP/1.1 200 OK
     Authentication-Info : Passport1.4
        tname=MSPAuth,tname=MSPProf
     Set-Cookie : MSPAuth = "auth blob in msn.com" ;
     Set-Cookie : MSPProf = "prof blob in msn.com" ;
    

The client recognizes and stores the token. The user is now authenticated to the site.