8.1. REMOTE AUTHENTICATION

When you're using remote services, it is almost always the case that the user accounts on the server are not the same as those on the Mac on which your application is running. The server is certainly not going to have shared accounts with an iPhone, which has no networked directory services. In Chapter 5 you discovered how the user's credentials for the distant server can be securely stored on the keychain, but now you need to get those credentials over the network. Different servers use different techniques for authenticating users on client computers, and each of these techniques has its own security requirements, benefits, and drawbacks.

8.1.1. HTTP Authentication

The HTTP protocol has a built-in capability for negotiating authentication. When a client requests a resource with limited access, the server responds with code 401 (unauthorized), along with a WWW-Authenticate header with more information about the authentication requirement. If you visit a protected resource in a web browser and see the standard "The server requires a password" dialog, the site-specific text presented in the dialog comes from that WWW-Authenticate header.