How to authenticate an RSS feed

Question

Basecamp uses HTTP authentication for its RSS feeds but this means that Google Reader, Bloglines and Firefox/Safari RSS don't work.

Is it possible to secure an RSS feed but still allow access from these popular readers?

Answer 1

Only possible solution I would think is use some randomly generated token inside URL to your feed. InfoQ works this way (with personalized feed) and I think many other. This way you can always revoke access to feed by simply changing token.

It has one disadvantage - it is not "protected" by password, so everyone who has can guess (or read from config files of your reader) URL has access to your feed.

And never, NEVER, put anything sensitive in this feed. Put only short summary and require users to open browser, log in and read more.

Answer 2

Try using the RSS feed url in format: https://USERNAME:PASSWORD@URL

For a Basecamp project feed, this url might be: https://bigguy:[email protected]/1234567/projects/89101112.atom

But it's really not a good idea to leave your password within a text field of one of these services -- even if you trust the service.

So, the safer solution is to use an intermediary that can safely store your credentials, access the protected feed, and republish the feed contents at a publicly-accessible url. Basically, we want a public proxy for the protected feed.

I use Yahoo Pipes to accomplish this. This pre-built Pipe makes it very easy to set this up.