Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Atom API

Mark Pilgrim has posted an extensively documented demonstration of the current draft of the Atom API, a REST style web service interface for posting to and editing weblogs. It looks like it will be a fun standard to implement; the basic idea (as with all REST services) is to obtain as much leverage as possible out of the HTTP standard, using lesser known methods such as PUT and DELETE in addition to the more common GET and POST. The authentication mechanism is particularly interesting: since Apache’s support for digest authentication requires an additional module that many hosts may not provide, the Atom guys have created their own based around new Atom-Authenticate HTTP headers.

This is the only part of the current specification that I, as a PHP developer, have a problem with. To my knowledge, there is no way of directly accessing non-standard HTTP headers from within a PHP script. As such, it would be impossible for a PHP Atom API application to support Atom authentication. This is a serious barrier to adoption of the standard, especially as PHP is by far the most popular open source web scripting technology.

Posted 18th August 2003 at 11:29 pm

This is Atom API by Simon Willison, posted on 18th August 2003.

View blog reactions

Next: 3 column CSS layouts: Easier than you might think

Previous: PHP Library Tips

17 comments

  1. You could pull it out of getallheaders() (Apache only, unfortunately), couldn't you?

    anode - 18th August 2003 23:47 - #

  2. Headers: .... X-FOO: 124 .... PHP code echo($_SERVER["HTTP_X_FOO"]);
    Just put phpinfo(): into a php page, and then see what you get back when using custom headers

    Daniel Von Fange - 18th August 2003 23:56 - #

  3. Nope, HTTP headers are easy in PHP:

    Client code usesheader(), server code would use getallheaders().

    John Beimler - 19th August 2003 00:22 - #

  4. I had forgotten about getallheaders() - unfortunately, as anode pointed out, it is only available when PHP is used as an Apache module. For other environments there is still no way of accessing custom headers (with the possible exception of X-something headers)

    Simon Willison - 19th August 2003 00:32 - #

  5. OK, I've just confirmed that PHP (at least from version 4.2.1) can access custom HTTP headers provided they are prefixed with "X-". I've submitted this to the Atom mailing list, with a suggestion that they add this prefix to any custom headers sent by the client. Thanks Daniel :)

    Simon Willison - 19th August 2003 00:40 - #

  6. you should post an update to this blog post.

    since, i have just read your post in an agregator, and come here to comment on getallheaders() ;)

    zombie - 19th August 2003 01:09 - #

  7. You are welcome.

    Daniel Von Fange - 19th August 2003 01:37 - #

  8. I'm a little confused, I'm seeing the Atom headers show up in $_SERVER without difficulty. Both running as a CGI, and as an Apache dso. Am I missing something?

    kellan - 19th August 2003 06:08 - #

  9. PHP implementation of HTTP Digest Authentication - for anyone interested in such things.

    Xiven - 19th August 2003 11:00 - #

  10. I'm sorry, I can't agree with reinventing the wheel. "Digest isn't supported by everyone, so we thought we'd invent something new that has no practical advantage and is supported by no-one". If people are going to be pulling out headers manually, then why can't they do so for proper digest authentication? It would save a hell of a lot of time for the people that do have use of proper digest authentication.

    Jim Dabell - 19th August 2003 17:38 - #

  11. Jim, I thought Mark addressed that rather well. 2 motivations I heard were:
    • requring the Apache module was a very real barrier to adoption
    • tool vendors preferred to work with the authentication info in application vs. server space.
    Those are both pretty compelling, esp. when taken together.

    kellan - 19th August 2003 20:47 - #

  12. requring the Apache module was a very real barrier to adoption

    HTTP Digest Authentication does not require the Apache module any more than the same concept reinvented with renamed headers (for that is all it is) would need it. Just because it is one way of implementing HTTP Digest Auth., doesn't mean you have to use it (see my previous comment for an example of another way; which would of course require only minor modifications to support the Atom scheme).

    I really don't see any justifiable reason for reinventing HTTP Digest Authentication.

    Xiven - 19th August 2003 22:25 - #

  13. Is PHP able to return custom status codes? I tried porting his Atom Authentication to PHP, and it's unable to set the status to any 4xx higher than 424. Changing this: php header('HTTP/1.x 447 Atom Unauthorized'); ?> to php header('HTTP/1.x 401'); ?> works fine.

    rick - 23rd August 2003 05:01 - #

  14. With Apache 2.0.47 and PHP 4.3.2, those status codes get automatically converted to 500 errors for me. Seems a bit short-sighted on behalf of the PHP developers.

    Jim Dabell - 23rd August 2003 11:41 - #

  15. A question: what exactly is an API? what does it do? is it something I can use if I'm trying to write my custom weblogging system in php? sorry for being clueless ;-)

    Steph - 10th October 2003 12:32 - #

  16. API = "Application Programmer Interface"

    It's the programming level interface used to talk with a given library, database, web-service, etc. In this case it's a description of how to work with the Atom weblog so you can develop your own weblog client for reading and editing.

    For more details see the Wikipedia entry on API

    Andrew Dalke - 13th October 2005 18:53 - #

  17. apache2, php 5.0.5 via apache2handler, header('HTTP/1.x 447 Atom Unauthorized'); works fine :)

    lifemk2 - 25th October 2005 11:20 - #

Comments are closed.

Previously hosted at http://simon.incutio.com/archive/2003/08/18/atomAPI

A django site