[OAI-implementers] Autentication in OAI-PMH

Fri Jul 30 09:59:23 EDT 2010

Filipe,

OAI-PMH uses HTTP as a transport layer and isn't fussy about what happens under the HTTP covers. If you use proper HTTP status codes (e.g. 401/403) and headers (e.g. "WWW-Authenticate") to manage the authentication, there doesn't seem to be any wording in the OAI-PMH standard that would be problematic.

http://www.openarchives.org/OAI/openarchivesprotocol.html#HTTPResponseFormat

http://tools.ietf.org/html/rfc2616#section-10.4.2
http://tools.ietf.org/html/rfc2616#section-10.4.4
http://tools.ietf.org/html/rfc2616#section-11

Solving this according to Web standard authentication procedures be praiseworthy. 

I wouldn't worry about ideology of the protocol being "Open". It's just a protocol.

Jeff

> -----Original Message-----
> From: oai-implementers-bounces at openarchives.org [mailto:oai-
> implementers-bounces at openarchives.org] On Behalf Of Filipe Correia
> Sent: Friday, July 30, 2010 9:07 AM
> To: jlb at ist.utl.pt
> Cc: oai-implementers at openarchives.org
> Subject: Re: [OAI-implementers] Autentication in OAI-PMH
> 
> Thank you for the quick reply José!
> 
> > Please be aware that the "O" in "OAI" really intends to mean "Open"!
> In that
> > sense you are raising a relevant requirement for your project, but in
> fact it
> > intentionally never was a requirement for the OAI community...
> 
> Well, I was afraid of that... :-)
> 
> 
> > Anyway, there are many "strategies" you can apply to still keep using
> the
> > basic OAI-PMH principles and on the same time apply your
> requirement... You
> > can start by using a VPN, but maybe other very simple one, that just
> came now
> > to my mind, would be to have from the server side an implementation
> of the
> > delivery of the data sets dependent from the IP address of the client
> (I mean,
> > you just need to customize a server for that, so for unknown IPs the
> server
> > gives the "public" data, and the "private" data only to known and
> previously
> > registered IPs...). Just an idea...
> 
> That's definitely an option to consider, I'm going to look into it
> more thoroughly. I'm concerned about what happens when institutional
> networks are involved. For example, if behind a given IP address
> there's an whole network of computers, by authorizing that IP address
> we may be granting access to more harvesters (or individuals) than
> intended.
> 
> I've just thought of a possible alternative, and would love to know
> your thoughts about it:
> Harvesting an OAI-PMH provider is made entirely through HTTP calls, so
> maybe one could use HTTP's basic-authentication? Even if the OAI-PMH
> protocol doesn't say that servers should challenge harvesters for
> authentication, if a harvester does provide authentication information
> (more specifically, if it provides HTTP basic-auth credentials, sent
> on the HTTP headers), the harvester could act accordingly. This way,
> the OAI-PMH provider would remain compatible with "normal" harvesters,
> to which it would provide only the "public" records. But it would be
> able to provide additional records to harvesters providing
> credentials.
> 
> Do you see any reason why this could not work? Please warn me if you
> think it's a bad practice for some reason :-)
> 
> 
> --
> Filipe Figueiredo Correia
> PhD Student @ FEUP
> Software Engineer @ ParadigmaXis
> 
> _______________________________________________
> OAI-implementers mailing list
> List information, archives, preferences and to unsubscribe:
> http://www.openarchives.org/mailman/listinfo/oai-implementers
> 