History

Early XForms requirements documents called for authentication support. Currently, user interfaces for authentication in web browsers are separate from the page, and (supposedly) easily recognizable as bona fide requests. The user is assured that the form author does not have access to the password.

Some had proposed authentication binding that would allow the form author to bind form controls to authentication fields and then use CSS for styling. Others objected that this might give form authors access to the authentication data, or might cause users confusion since the browser-controlled look-and-feel was no longer present.

For XForms 1.0, we decided to leave authentication to the user agent.

Current State

XForms 1.1 provides the following features which can be used to enhance authentication.

For example, given the ability to alter the submission resource URI (with the submission/resource binding), we can support basic and digest authentication with HTTP as it allows user@pass in the URL. Similarly, for user agents that support FTP, the user@pass URL notation also works.

XForms 1.1 does not offer any syntactic sugar for combining the UI operations and the HMAC or other operations, nor any guidance to form authors.

Going Forward

Now may be a good time to re-examine the XForms 1.0 decision, and look at authentication binding again.

Questions

References

CategoryXFormsFutureFeatures

HTTP Authentication (last edited 2007-04-25 05:23:19 by JohnBoyer)