Today I created a private blog site — that is, Internet-accessible but SSL-and-password-protected — and realized that there was no easy way for most people to subscribe to it. Even if the popular cloud-based readers like Bloglines and Google Reader supported authenticated feeds, I wouldn’t want to let them use my credentials to impersonate me.
What about the Microsoft RSS Platform? I discovered to my surprise that it won’t read authenticated feeds either. I’m way late to the party on this one. Scott Hanselman sounded the alarm last September. (He also speculated usefully about a CardSpace-strengthened approach to secure RSS.)
Way back in February, Dare Obasanjo had weighed in on why authenticated feeds would matter, and in March Sean Lyndersay explained on Charlie Wood’s blog why the feature didn’t make the cut.
My own case helps bolster Sean’s point that password-protected feeds are rare birds. Despite all the blog publishing and feedreading I’ve done over the years, today was the first time I’ve created, and then turned around and subscribed to, an authenticated feed.
Still, there are all kinds of messages that I’d rather receive from banks and credit card companies by way of RSS pull (under my control) rather than by way of email push (under their control). But if Windows itself doesn’t yet read authenticated feeds, it’s hard for those companies to justify producing such feeds. Chicken and egg.
So how did I finally subscribe to it? With Dare Obasanjo’s RSS Bandit, the first desktop-based reader I’ve touched in years.
Update: Thanks to this comment I have discovered that Outlook 2007 is one of the standalone RSS readers that can subscribe to authenticated feeds. I had originally thought otherwise but that was operator error on my part. It does work, provided that Outlook 2007 is set up to subscribe autonomously rather than to use the common feed store. Here’s a screencast that shows IE7 and Outlook 2007 interacting with the common feed store, as well as Outlook 2007 working autonomously.
Update 2: A followup question came up today. That screencast shows how to make Outlook 2007 use the common feed list. (See File->Import.) But how do you switch away from that choice in order to read authenticated feeds? ANSWER: Tools -> Options -> Other -> Advanced.
March 27, 2007 at 3:31 pm
My Feedreader http://www.feedreader.com/
does authentication too.
March 27, 2007 at 3:35 pm
[...] Jon Udell has finally stumbled onto a long standing problem in the syndication space… the vast majority of existing feed readers… especially browser-based readers… absolutely suck at dealing with feeds requiring authentication… or any degree of security. There are lots of issues ranging from readers that do not even support the most basic HTTP authentication mechanisms (e.g. Basic/Digest auth), readers that do Basic auth without also supporting SSL to secure the authentication credentials, readers that do not support SSL at all, readers that do not support cookie-based authentication (used frequently in corporate single sign on set ups), readers that are incapable of seeing past firewall boundaries. Feed readers need to solve this problem, and they need to do it very very quickly. [...]
March 27, 2007 at 4:14 pm
I proposed one solution for this space almost two years ago:
http://www.xml.com/pub/a/2005/07/13/secure-rss.html
There’s plenty of hurdles, but it does attack the problem from
some completely different angles, not using authentication
but encryption, and using a microformat to indicate the sections
of the content to be decrypted.
March 27, 2007 at 4:27 pm
The NewsGator platform (I have used FeedDemon since, oh, version 0.7 or so) handles this just fine.
March 27, 2007 at 4:31 pm
Jon, I haven’t found authenticated feeds to be quite so rare. For example, FeedBurner provides an authenticated “personal feed” for every one of its customers, and each GMail user has an authenticated feed at https://mail.google.com/mail/feed/atom
In addition, there are a lot of “behind the firewall” customers and mobile office workers who absolutely rely on their feed reader supporting authenticated feeds.
FWIW, FeedDemon has supported authenticated feeds (including SSL) for quite some time (as has NewsGator Online):
http://nick.typepad.com/blog/2005/10/feeddemon_16_be.html
March 27, 2007 at 4:38 pm
I’ve been using Newsfox to keep track of events across several instances of theTrac project management system some of which require authentication. Newsfox is a Firefox plugin. This integrates well with a browser-centric life but Maybe Jon’s using IE.
March 27, 2007 at 4:51 pm
This has been a headache for DrProject [1] — activity in each project can be syndicated as RSS, but we can’t allow student groups to watch each other’s commits, tickets, and so on. We don’t want to tell students that they have to use a particular feed reader (by show of hands, they currently use at least half a dozen web-based readers, and a couple of desktop readers), so we’ve simply turned the feeds off :-(
[1] http://www.drproject.org
March 27, 2007 at 7:30 pm
I suspect not many people know this, but LiveJournal supports authenticated feeds. If you authenticating yourself, the RSS feed includes the LJ user’s “friends-only” posts (assuming you’re listed as their friend, of course :).
I searched for an RSS reader that both worked the way I want, and supported authentication, and didn’t find any. I ended up with a complicated mechanism of a web proxy on my internet server that only allows connections from localhost, and an SSH tunnel to carry feed reader requests to the proxy… ugly, but it did solve my problem.
March 27, 2007 at 7:56 pm
I’ve been using NetNewsWire quite happily for over two years to subscribe to LiveJournal’s authenticated feeds. The only downside is that it required me to put in the same username/password combination for Every Single Feed at LiveJournal, where it would’ve been useful if there had been an option to indicate that it’s the same entry each time.
March 27, 2007 at 8:53 pm
RSSOwl (Java) has been doing authenticated feeds for a couple of years. http://inkblots.markwoodman.com/2005/03/25/rss-owl-11/
March 27, 2007 at 10:23 pm
I use Outlook 2007 for secure feeds and Google Reader for everything else.
March 28, 2007 at 2:26 am
Two points:
1. For the sake of completeness: the free vienna also suppors authenticated feeds.
2. I have been using authenticated feeds for almost three years: We have several company related feeds protected by SSL and authentication where we access vital information also on the road. Those are internal blogs, cvstrac information, internal wikis etc.
Cheers, Stefan
March 28, 2007 at 8:48 am
Quick note: http://www.blogbridge.com has supported authenticated feeds forever, remembers passwords across sessions (if you want), is free, open source, and runs on Mac, Windows and Linux.
March 28, 2007 at 9:15 am
I’ve come across the authenticated feeds problem, and I’m surprised that there’s no better solution. By better I mean that one that our intranet people can easily implement on our Oracle platform, and our wiki platform…
March 28, 2007 at 10:48 am
“I proposed one solution for this space almost two years ago”
I remember that. It’s quite workable, and could in fact be complementary to a password-protected feed. In the case of a cloud-based reader in particular, you might well want to have both password protection and encryption.
March 28, 2007 at 10:27 pm
Especially for schools attempting to create social network-enabled intranets, I would like to see the other side of this coin better developed — open-source blogging platforms that create password-protected feeds. For example, I would like Elgg, our school blogging platform, require form-based login for web-based access and HTTP auth for RSS reader access. Elgg doesn’t do the RSS part out of the box, and once you close Elgg as a private network, RSS feeds all break. I’m not sure whether it’s possible to enable HTTP authentication without an htaccess file.
March 29, 2007 at 12:03 pm
in your post you make it sound like bloglines doesn’t support http authentication for feeds, or the notion of “private” feeds. In fact it supports both, and i have used that feature for quite some time.
you simply put the username and password in the feed url, as the http spec provides for
http://username@password:mysite.com/feed/url
then bloglines automagically knows it’s private; but you can select the private setting for any feed that you subscribe to… authenticated or not.
March 29, 2007 at 3:26 pm
“http://username@password:mysite.com/feed/url”
True. I wouldn’t want to encode my credentials that way, though, or have Bloglines memorize them so it could impersonate me.
March 30, 2007 at 1:43 am
[...] Jon Udell: Authenticated RSS feeds Not all readers support it, probably not too many of the browserbased ones. [...]
March 30, 2007 at 4:39 am
Does anyone know if this is something OpenID could possibly handle? Allowing a feed reaping service to get authenticated feeds and authenticating through OpenID? If it can then would that be acceptable for you Jon? Or is storing credentials on an OpenID server also still too centralised/open for your liking?
It is a very real problem and I’d love to find a method for web-based aggregators to respect users security concerns.
April 30, 2007 at 3:09 pm
So we’ve been having a problem with configuring Outlook to read a authenticated RSS feed. Is there something beyond removing it from the common feed? We’ve done that, and now we’re getting a message that the link may not point to a valid source. It renders fine in IE7.
Any thoughts on what could be configured incorrectly? The admins tell me the problem is not on the server (of course they do), so I’m curious if you have ideas of what we should look for…or a good resource to check out.
Thanks,
August 14, 2007 at 5:25 am
i need auth feeds to subscribe to several forums. i also want to produce an auth-only forum – several, in fact. this sucks.
google reader is unreliable with auth feeds. gmail doesn’t seem to want to produce proper feeds – same with google groups.
problems everywhere. it’s not that difficult.
October 10, 2007 at 9:08 pm
Just noticed an error…
it is not
“http://username@password:mysite.com/feed/url”
rather
“http://username:password@mysite.com/feed/url”
(switch @ and : )
cheers
October 22, 2007 at 10:46 am
Very interesting Blog!
December 1, 2007 at 8:28 am
As said by John, passing the credentials in the URL is definately not a good solution. Instead of forcing people to do this, the RSS feed provider could rather give a key within the URL and that key authentifies the user. Something like:
https://server.com/rss/feed?key=
Technically the key can contain a public part that identifies the user and an SHA or MD5 signature made with
a server private key. In that case, there is no authentication but the server can still verify that the RSS feed is granted.
The weekness is when you publish the feed URL or when the URL is stolen. Everybody having the key can access the RSS feed. This is why you have to use SSL and not share that feed URL with anybody. Remember that passing your credentials in the URL has the same problem! But in the case of the SHA/MD5 key, nobody will ever know your password.
April 14, 2008 at 12:07 pm
I just released a service today that gives users the ability to subscribe to authenticated feeds in any feed reader including Google Reader, Bloglines, etc…
http://freemyfeed.com/
Enjoy!
June 13, 2008 at 2:08 pm
I’ve been bitten by the flaky Outlook implementation of this several times when I’ve wanted to do the occasional testing on our secure RSS feeds. This MS KB article says you can’t do it at all: http://support.microsoft.com/kb/917125
That’s BS. But what I’ve found is you can’t do it by selecting “New” on the RSS Feeds tab of the Account Settings dialog – you’ll get the error in the above KB article. The way to do it is to right-click on the RSS Feeds mail folder, and then select to Add a New Feed.
Perhaps by documenting it here I won’t be bitten again!
August 19, 2008 at 2:47 pm
[...] and then change your LJ password and see how many of them you can get to work again.) I found this blog post that echoes the problems of authenticated [...]
August 25, 2008 at 4:24 pm
Thanks for this useful tipps!
October 4, 2008 at 3:35 pm
you can use Mozilla Thunderbird as a reader for secure rss feeds and it is free..
October 21, 2008 at 9:47 am
Nice Page!!! And Thanks for the tipps!
November 9, 2008 at 6:01 am
ie7 and firefox 3.0.3 seem to support authenticated feeds.
December 15, 2008 at 4:07 am
intraVnews supports authenticated feeds (basic/digest/windows) in Outlook XP, 2003 and 2007. It also works fine (from) behind the firewall.
January 9, 2009 at 12:34 am
http://msdn.microsoft.com/en-us/library/cc196991%28VS.85%29.aspx
ie8 will support rss feed authtication
October 22, 2009 at 3:57 pm
Actually this isn’t entirely true. Currently there are problems with Outlook 2007 as it creates duplicates when using secure feeds. I have a completely updated copy of Outlook 2007 running and my regular RSS feeds are fine, but my secure ones breed like rabbits, repeatedly downloading the same posts. Microsoft is currently working on the issue. There is a free plug-in for Outlook out there that does work properly and will not produce duplicates.
http://rsspopper.blogspot.com/2004/10/home.html
March 15, 2010 at 3:47 pm
Are there any AJAX type utilities which pull an secured rss feeds taking in a username/pwd.
like Google AJAX APi. it does not seems to support authentication though.