Hi David,
On 11/19/2012 02:54 PM, David J wrote:
Is the database shared? If so maybe when they authenticate add a secure token to the header that the second proxy can use for auth?
No, the DBs are explicitely NOT shared in this scenario.
Just a suggestion not sure if its the answer your looking for or perhaps I didn't understand the scenario well enough.
Let me try to put the scenario in different words:
If a request from a subscriber hits a server, and it doesn't contain an Authorization header, then the server would just challenge the request. This doesn't require any subscriber information on this server, so it shouldn't matter whether this subscriber exists on this server or not.
When the request comes in again, this time with an Authorization header, the server can use the username and realm of this header to check whether the subscriber is local or not. If it's local, it would just try to authenticate it as usual, and if it's not, it can look up the correct server using this auth username/realm and forward the request to the responsible server.
Now this second server would receive a request, which already contains an authorization header, but it won't be able to authenticate it if the nonce is not in sync between server1 and server2.
So this leads to the question whether it's possible to sync the nonces in a way that server1 challenges a request, and a different server would be able to authenticate the subsequent request holding the challenge-response.
Andreas