Are there any sites that actually support Atom-style X-WSSE authentication except 43things? The AtomPubTesting page doesn't show any, and Blogger's Atom endpoint just tells me
I'm sorry, we only support BASIC Authentication over SSL. Mark's XML.com article is two and a half years old now, but still I can't find any mention of (or link to any mention of) WSSE in the latest Atom-Pub draft. Come on guys, wasn't Atom meant to be better-documented than RSS and the metaWeblog API?
Aha - finally figured out that Movable Type supports the Atom API. Not sure how a client is meant to figure that out, though - the only mention of editing is the <link rel="EditURI"> element, which points to an RSD file that only mentions the metaWeblog and Blogger-v1 endpoints. Then when you go to
mt-atom.cgi, it just says "1" until you figure out that the endpoint is actually
mt-atom.cgi/weblog/. But now - finally I see a
WWW-Authenticate: WSSE profile="UsernameToken" header - so I can get on to my testing!
Update: Clock skew will be an issue with WSSE; is there an accepted way for a client to sync time with a server?
Note: MT's WSSE implementation differs from that in Mark's XML.com article; in MT, the Nonce parameter is expected to be encoded with base64.
Update 2: I now have my code generating X-WSSE headers that MT is accepting as valid. Still no luck with 43things, though.