[OAI-implementers] Autentication in OAI-PMH

Filipe Correia fcorreia at gmail.com
Fri Jul 30 09:07:29 EDT 2010

Thank you for the quick reply José!

> Please be aware that the "O" in "OAI" really intends to mean "Open"! In that
> sense you are raising a relevant requirement for your project, but in fact it
> intentionally never was a requirement for the OAI community...

Well, I was afraid of that... :-)

> Anyway, there are many "strategies" you can apply to still keep using the
> basic OAI-PMH principles and on the same time apply your requirement... You
> can start by using a VPN, but maybe other very simple one, that just came now
> to my mind, would be to have from the server side an implementation of the
> delivery of the data sets dependent from the IP address of the client (I mean,
> you just need to customize a server for that, so for unknown IPs the server
> gives the "public" data, and the "private" data only to known and previously
> registered IPs...). Just an idea...

That's definitely an option to consider, I'm going to look into it
more thoroughly. I'm concerned about what happens when institutional
networks are involved. For example, if behind a given IP address
there's an whole network of computers, by authorizing that IP address
we may be granting access to more harvesters (or individuals) than

I've just thought of a possible alternative, and would love to know
your thoughts about it:
Harvesting an OAI-PMH provider is made entirely through HTTP calls, so
maybe one could use HTTP's basic-authentication? Even if the OAI-PMH
protocol doesn't say that servers should challenge harvesters for
authentication, if a harvester does provide authentication information
(more specifically, if it provides HTTP basic-auth credentials, sent
on the HTTP headers), the harvester could act accordingly. This way,
the OAI-PMH provider would remain compatible with "normal" harvesters,
to which it would provide only the "public" records. But it would be
able to provide additional records to harvesters providing

Do you see any reason why this could not work? Please warn me if you
think it's a bad practice for some reason :-)

Filipe Figueiredo Correia
PhD Student @ FEUP
Software Engineer @ ParadigmaXis

More information about the OAI-implementers mailing list