Hi David,
On 11/19/2012 02:54 PM, David J wrote:
Is the database shared? If so maybe when they
authenticate add a secure
token to the header that the second proxy can use for auth?
No, the DBs are explicitely NOT shared in this scenario.
Just a suggestion not sure if its the answer your
looking for or perhaps
I didn't understand the scenario well enough.
Let me try to put the scenario in different words:
If a request from a subscriber hits a server, and it doesn't contain an
Authorization header, then the server would just challenge the request.
This doesn't require any subscriber information on this server, so it
shouldn't matter whether this subscriber exists on this server or not.
When the request comes in again, this time with an Authorization header,
the server can use the username and realm of this header to check
whether the subscriber is local or not. If it's local, it would just try
to authenticate it as usual, and if it's not, it can look up the correct
server using this auth username/realm and forward the request to the
responsible server.
Now this second server would receive a request, which already contains
an authorization header, but it won't be able to authenticate it if the
nonce is not in sync between server1 and server2.
So this leads to the question whether it's possible to sync the nonces
in a way that server1 challenges a request, and a different server would
be able to authenticate the subsequent request holding the
challenge-response.
Andreas