One question I’m wrangling with right now is how to add authenticated feeds to an application. I have an application that you have to log into in order to use. The application will publish some feeds. I have to decide whether or not to require authentication to view the feeds, and if so, how that authentication will work.
There are a number of problems associated with feed authentication. The first is that I have no idea what sorts of authentication are widely supported by feed readers. The second is that most people subscribe to many, many feeds, and I wouldn’t want them to have to enter their username and password every time they attempt to refresh the feed. The third is that if you create an authentication system that doesn’t require the user to enter their password, the link to that feed is almost certainly not secure. The user will be able to copy the feed URL and email it to anyone they like. This is especially problematic if the user’s username and password are included in the URL. And the fourth is that regardless which system I use, it needs to be understandable by users who don’t know what RSS, Atom, SSL, and Basic Authentication are.
The good news is that none of the data in this application really demands security. The only reason it’s walled off at all is that it’s going to be published elsewhere later and I don’t want people to start browsing it within the content management system. I could leave out all of the security for the feeds without much worry. If I can bring my support for authentication to the feeds, though, I may as well do so.
I’m looking at how other applications do feed authentication. FogBugz produces RSS feeds and provides two means of authentication. You can consume the feed in an application that maintains your FogBugz cookie (like Firefox), or you can include your username and password as query parameters.
LiveJournal supports authentication for feeds using HTTP Digest for authentication (if you add the right parameter to your URL) or using the LiveJournal authentication cookie if your application has it stored.
37signals’ Basecamp application also uses authenticated feeds. Basecamp’s documentation doesn’t say what form of authentication they use, but a little test reveals that their feeds are authenticated using Basic Authentication.
Daring Fireball also uses Basic Authentication for private feeds.
Feed authentication seems like yet another area where some kind of certificate-based authentication system would be a huge win, but obviously that remains a pipe dream.