2.2.7 Sign-in Request Message
This message contains the user's credentials and is sent by the client to the authentication server. It MUST contain the parameters in the Authentication Server Challenge message received from the partner server that originally initiated authentication.
-
Sign-in-Request-Message = "Authorization:" scheme 1*SP sign-in "," pwd "," elapsed-time "," OrgVerb "," OrgURL ["," customtoken] "," challenge sign-in = "sign-in=" signin-name pwd = "pwd=" passphrase elapsed-time = "elapsed-time=" 1*DIGIT signin-name = signin-str "@" signin-str "." signin-str signin-str = 1*(%d39 / %d45 / %d46 / %d48-57 / %d65-90 / %d95 / %d97-122) passphrase = 1*(%d33-126)
sign-in: A string that MUST specify the user's sign-in name. It MUST be UTF-8–encoded (as specified in [RFC3629]) and unsafe character-escaped (as specified in [RFC2396]). The name MUST be an email name and can contain alphanumeric characters, hyphens, and periods.
pwd: A string that MUST specify the user's password. It MUST be UTF-8–encoded (as specified in [RFC3629]) and unsafe character-escaped (as specified in [RFC2396]). Alphanumeric and special characters MAY be used. If a comma is used in the password, it MUST be escaped, as specified in [RFC2396].
elapsed-time: A non-negative integer that MUST specify the duration, in seconds, since the sign-in name and password were placed in the token cache by the client. A value of 0 specifies that the user was prompted for credentials and cached credentials are not being sent.
customtoken: Optional token received from the authentication server in an Authentication Server Challenge message.
Example:
-
Authorization: Passport1.4 sign-in=user1%40example.com,pwd=password, elapsed-time=0, OrgVerb=GET,OrgUrl=https://partner.example.com/auth.asp, param1,param2
Note The challenge is in whatever format the partners in the realm and the AS agree to use, and is not part of the protocol. It MUST be a comma-separated set of ptoken elements, as specified in the ABNF in section 2.2.1.