Authenticated RSS feeds

Today I created a private blog site — that is, Internet-accessible but SSL-and-password-protected — and realized that there was no easy way for most people to subscribe to it. Even if the popular cloud-based readers like Bloglines and Google Reader supported authenticated feeds, I wouldn’t want to let them use my credentials to impersonate me.

What about the Microsoft RSS Platform? I discovered to my surprise that it won’t read authenticated feeds either. I’m way late to the party on this one. Scott Hanselman sounded the alarm last September. (He also speculated usefully about a CardSpace-strengthened approach to secure RSS.)

Way back in February, Dare Obasanjo had weighed in on why authenticated feeds would matter, and in March Sean Lyndersay explained on Charlie Wood’s blog why the feature didn’t make the cut.

My own case helps bolster Sean’s point that password-protected feeds are rare birds. Despite all the blog publishing and feedreading I’ve done over the years, today was the first time I’ve created, and then turned around and subscribed to, an authenticated feed.

Still, there are all kinds of messages that I’d rather receive from banks and credit card companies by way of RSS pull (under my control) rather than by way of email push (under their control). But if Windows itself doesn’t yet read authenticated feeds, it’s hard for those companies to justify producing such feeds. Chicken and egg.

So how did I finally subscribe to it? With Dare Obasanjo’s RSS Bandit, the first desktop-based reader I’ve touched in years.

Update: Thanks to this comment I have discovered that Outlook 2007 is one of the standalone RSS readers that can subscribe to authenticated feeds. I had originally thought otherwise but that was operator error on my part. It does work, provided that Outlook 2007 is set up to subscribe autonomously rather than to use the common feed store. Here’s a screencast that shows IE7 and Outlook 2007 interacting with the common feed store, as well as Outlook 2007 working autonomously.

Update 2: A followup question came up today. That screencast shows how to make Outlook 2007 use the common feed list. (See File->Import.) But how do you switch away from that choice in order to read authenticated feeds? ANSWER: Tools -> Options -> Other -> Advanced.

Posted in .

40 thoughts on “Authenticated RSS feeds

  1. Jon, I haven’t found authenticated feeds to be quite so rare. For example, FeedBurner provides an authenticated “personal feed” for every one of its customers, and each GMail user has an authenticated feed at

    In addition, there are a lot of “behind the firewall” customers and mobile office workers who absolutely rely on their feed reader supporting authenticated feeds.

    FWIW, FeedDemon has supported authenticated feeds (including SSL) for quite some time (as has NewsGator Online):

  2. I’ve been using Newsfox to keep track of events across several instances of theTrac project management system some of which require authentication. Newsfox is a Firefox plugin. This integrates well with a browser-centric life but Maybe Jon’s using IE.

  3. This has been a headache for DrProject [1] — activity in each project can be syndicated as RSS, but we can’t allow student groups to watch each other’s commits, tickets, and so on. We don’t want to tell students that they have to use a particular feed reader (by show of hands, they currently use at least half a dozen web-based readers, and a couple of desktop readers), so we’ve simply turned the feeds off :-(


  4. I suspect not many people know this, but LiveJournal supports authenticated feeds. If you authenticating yourself, the RSS feed includes the LJ user’s “friends-only” posts (assuming you’re listed as their friend, of course :).

    I searched for an RSS reader that both worked the way I want, and supported authentication, and didn’t find any. I ended up with a complicated mechanism of a web proxy on my internet server that only allows connections from localhost, and an SSH tunnel to carry feed reader requests to the proxy… ugly, but it did solve my problem.

  5. I’ve been using NetNewsWire quite happily for over two years to subscribe to LiveJournal’s authenticated feeds. The only downside is that it required me to put in the same username/password combination for Every Single Feed at LiveJournal, where it would’ve been useful if there had been an option to indicate that it’s the same entry each time.

  6. Two points:

    1. For the sake of completeness: the free vienna also suppors authenticated feeds.

    2. I have been using authenticated feeds for almost three years: We have several company related feeds protected by SSL and authentication where we access vital information also on the road. Those are internal blogs, cvstrac information, internal wikis etc.

    Cheers, Stefan

  7. I’ve come across the authenticated feeds problem, and I’m surprised that there’s no better solution. By better I mean that one that our intranet people can easily implement on our Oracle platform, and our wiki platform…

  8. “I proposed one solution for this space almost two years ago”

    I remember that. It’s quite workable, and could in fact be complementary to a password-protected feed. In the case of a cloud-based reader in particular, you might well want to have both password protection and encryption.

  9. Especially for schools attempting to create social network-enabled intranets, I would like to see the other side of this coin better developed — open-source blogging platforms that create password-protected feeds. For example, I would like Elgg, our school blogging platform, require form-based login for web-based access and HTTP auth for RSS reader access. Elgg doesn’t do the RSS part out of the box, and once you close Elgg as a private network, RSS feeds all break. I’m not sure whether it’s possible to enable HTTP authentication without an htaccess file.

  10. in your post you make it sound like bloglines doesn’t support http authentication for feeds, or the notion of “private” feeds. In fact it supports both, and i have used that feature for quite some time.

    you simply put the username and password in the feed url, as the http spec provides for

    then bloglines automagically knows it’s private; but you can select the private setting for any feed that you subscribe to… authenticated or not.

  11. “”

    True. I wouldn’t want to encode my credentials that way, though, or have Bloglines memorize them so it could impersonate me.

  12. Does anyone know if this is something OpenID could possibly handle? Allowing a feed reaping service to get authenticated feeds and authenticating through OpenID? If it can then would that be acceptable for you Jon? Or is storing credentials on an OpenID server also still too centralised/open for your liking?

    It is a very real problem and I’d love to find a method for web-based aggregators to respect users security concerns.

  13. So we’ve been having a problem with configuring Outlook to read a authenticated RSS feed. Is there something beyond removing it from the common feed? We’ve done that, and now we’re getting a message that the link may not point to a valid source. It renders fine in IE7.

    Any thoughts on what could be configured incorrectly? The admins tell me the problem is not on the server (of course they do), so I’m curious if you have ideas of what we should look for…or a good resource to check out.


  14. i need auth feeds to subscribe to several forums. i also want to produce an auth-only forum – several, in fact. this sucks.

    google reader is unreliable with auth feeds. gmail doesn’t seem to want to produce proper feeds – same with google groups.

    problems everywhere. it’s not that difficult.

  15. Just noticed an error…
    it is not



    (switch @ and : )

  16. As said by John, passing the credentials in the URL is definately not a good solution. Instead of forcing people to do this, the RSS feed provider could rather give a key within the URL and that key authentifies the user. Something like:

    Technically the key can contain a public part that identifies the user and an SHA or MD5 signature made with
    a server private key. In that case, there is no authentication but the server can still verify that the RSS feed is granted.

    The weekness is when you publish the feed URL or when the URL is stolen. Everybody having the key can access the RSS feed. This is why you have to use SSL and not share that feed URL with anybody. Remember that passing your credentials in the URL has the same problem! But in the case of the SHA/MD5 key, nobody will ever know your password.

  17. I’ve been bitten by the flaky Outlook implementation of this several times when I’ve wanted to do the occasional testing on our secure RSS feeds. This MS KB article says you can’t do it at all:

    That’s BS. But what I’ve found is you can’t do it by selecting “New” on the RSS Feeds tab of the Account Settings dialog – you’ll get the error in the above KB article. The way to do it is to right-click on the RSS Feeds mail folder, and then select to Add a New Feed.

    Perhaps by documenting it here I won’t be bitten again!

  18. you can use Mozilla Thunderbird as a reader for secure rss feeds and it is free..

  19. Actually this isn’t entirely true. Currently there are problems with Outlook 2007 as it creates duplicates when using secure feeds. I have a completely updated copy of Outlook 2007 running and my regular RSS feeds are fine, but my secure ones breed like rabbits, repeatedly downloading the same posts. Microsoft is currently working on the issue. There is a free plug-in for Outlook out there that does work properly and will not produce duplicates.

  20. Are there any AJAX type utilities which pull an secured rss feeds taking in a username/pwd.
    like Google AJAX APi. it does not seems to support authentication though.

  21. Does your blog have a contact page? I’m having trouble locating it but, I’d like
    to shoot you an e-mail. I’ve got some creative ideas for
    your blog you might be interested in hearing. Either way,
    great website and I look forward to seeing it expand over time.

Leave a Reply