[OAI-implementers] Autentication in OAI-PMH

Michael Nelson mln at cs.odu.edu
Fri Jul 30 11:43:06 EDT 2010

just to echo Jeff's comment: solve your auth problems with http.

Although I can't recall any examples, it is my understanding that there 
are many instances of harvesters & repos currently doing this.



On Fri, 30 Jul 2010, Young,Jeff (OR) wrote:

> Filipe,
> OAI-PMH uses HTTP as a transport layer and isn't fussy about what happens under the HTTP covers. If you use proper HTTP status codes (e.g. 401/403) and headers (e.g. "WWW-Authenticate") to manage the authentication, there doesn't seem to be any wording in the OAI-PMH standard that would be problematic.
> http://www.openarchives.org/OAI/openarchivesprotocol.html#HTTPResponseFormat
> http://tools.ietf.org/html/rfc2616#section-10.4.2
> http://tools.ietf.org/html/rfc2616#section-10.4.4
> http://tools.ietf.org/html/rfc2616#section-11
> Solving this according to Web standard authentication procedures be praiseworthy.
> I wouldn't worry about ideology of the protocol being "Open". It's just a protocol.
> Jeff
>> -----Original Message-----
>> From: oai-implementers-bounces at openarchives.org [mailto:oai-
>> implementers-bounces at openarchives.org] On Behalf Of Filipe Correia
>> Sent: Friday, July 30, 2010 9:07 AM
>> To: jlb at ist.utl.pt
>> Cc: oai-implementers at openarchives.org
>> Subject: Re: [OAI-implementers] Autentication in OAI-PMH
>> Thank you for the quick reply José!
>>> Please be aware that the "O" in "OAI" really intends to mean "Open"!
>> In that
>>> sense you are raising a relevant requirement for your project, but in
>> fact it
>>> intentionally never was a requirement for the OAI community...
>> Well, I was afraid of that... :-)
>>> Anyway, there are many "strategies" you can apply to still keep using
>> the
>>> basic OAI-PMH principles and on the same time apply your
>> requirement... You
>>> can start by using a VPN, but maybe other very simple one, that just
>> came now
>>> to my mind, would be to have from the server side an implementation
>> of the
>>> delivery of the data sets dependent from the IP address of the client
>> (I mean,
>>> you just need to customize a server for that, so for unknown IPs the
>> server
>>> gives the "public" data, and the "private" data only to known and
>> previously
>>> registered IPs...). Just an idea...
>> That's definitely an option to consider, I'm going to look into it
>> more thoroughly. I'm concerned about what happens when institutional
>> networks are involved. For example, if behind a given IP address
>> there's an whole network of computers, by authorizing that IP address
>> we may be granting access to more harvesters (or individuals) than
>> intended.
>> I've just thought of a possible alternative, and would love to know
>> your thoughts about it:
>> Harvesting an OAI-PMH provider is made entirely through HTTP calls, so
>> maybe one could use HTTP's basic-authentication? Even if the OAI-PMH
>> protocol doesn't say that servers should challenge harvesters for
>> authentication, if a harvester does provide authentication information
>> (more specifically, if it provides HTTP basic-auth credentials, sent
>> on the HTTP headers), the harvester could act accordingly. This way,
>> the OAI-PMH provider would remain compatible with "normal" harvesters,
>> to which it would provide only the "public" records. But it would be
>> able to provide additional records to harvesters providing
>> credentials.
>> Do you see any reason why this could not work? Please warn me if you
>> think it's a bad practice for some reason :-)
>> --
>> Filipe Figueiredo Correia
>> PhD Student @ FEUP
>> Software Engineer @ ParadigmaXis
>> _______________________________________________
>> OAI-implementers mailing list
>> List information, archives, preferences and to unsubscribe:
>> http://www.openarchives.org/mailman/listinfo/oai-implementers
> _______________________________________________
> OAI-implementers mailing list
> List information, archives, preferences and to unsubscribe:
> http://www.openarchives.org/mailman/listinfo/oai-implementers

Michael L. Nelson mln at cs.odu.edu http://www.cs.odu.edu/~mln/
Dept of Computer Science, Old Dominion University, Norfolk VA 23529
+1 757 683 6393 +1 757 683 4900 (f)

More information about the OAI-implementers mailing list