# Introduction
Passport 1.4, or "Tweener", as it's sometimes called,
is an HTTP-based authentication system that was introduced with [MSNP8](../versions/msnp8.md).

For [MSNP12](../versions/msnp12.md) and above, read Passport 3.0.

# Nexus
The Passport Nexus is a server that provides information to other parties about how to use Passport.

It's default domain is `nexus.passport.com`.

## pprdr.asp
The Passport Redirection service returns the `PassportURLs` header, which contains the `DALogin` parameter
that is used to specify which server to attempt Passport 1.4 authentication with.

### Client/Request
```
GET /rdr/pprdr.asp HTTP/1.1
Host: nexus.passport.com

```

### Server/Response
```
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Content-Length: 0
PassportURLs: DARealm=Passport.Net,DALogin=login.passport.com/login2.srf,ConfigVersion=15

```

Where `PassportURLs` (case-sensitive) contains the following parameters:
* `DARealm`: The Domain Authority's realm name.
* `DALogin`: The Domain Authority's login endpoint.
* `ConfigVersion`: Increases by 1 every time that PassportURLs is updated to flush the URL cache.

# Passport Login
The Passport Login server is a HTTPS server that provides the login service (default is `login2.srf`)
specified in `DALogin` from the [Nexus](#nexus) response.

## login2.srf
The `login2.srf` endpoint is used for programmatic authentication.

### Client/Request
```
GET /login2.srf HTTP/1.1
Authorization: Passport1.4 Passport1.4 OrgVerb=GET,OrgURL=http%3A%2F%2Fmessenger%2Emsn%2Ecom,sign-in={user-handle},pwd={password},{server-args}
User-Agent: MSMSGS
Host: login.passport.com
Connection: Keep-Alive
Cache-Control: no-cache

```

Where `user-handle` is the URL-encoded user handle of the user to authenticate.

Where `password` is the URL-encoded password of the user to authenticate.

Where `server-args` is the parameter given to the server's response to the Initial [USR](../commands/usr.md).

### Server/Response

#### Authentication Redirection
If the server you are authenticating to does not support your account type,
but knows a server that does, this is used, otherwise [Authentication Successful](#authentication-successful) is.

If you are redirected, you have to send the `Authorization` header again to the new server specified in `Location`.

```
HTTP/1.1 302 Found
Cache-Control: no-cache
cachecontrol: no-store
Connection: close
Authentication-Info: Passport1.4 da-status=redir
Location: https://loginnet.passport.com/login2.srf?lc=1033

```

#### Authentication Successful
```
HTTP/1.1 200 OK
Cache-Control: no-cache
cachecontrol: no-store
Connection: close
Content-Type: text/html
Authentication-Info: Passport1.4 dastatus=success,from-PP='t=token&p=profile',ru=http://messenger.msn.com
Content-Length: 0

```

#### Authentication Failure
The `dastatus` may instead be `failed-noretry`.
```
HTTP/1.1 Unauthorized
Cache-Control: no-cache
cachecontrol: no-store
WWW-Authenticate Passport1.4 dastatus=failed,srealm=Passport.NET,ts=-1,prompt,cburl=http://www.passportimages.com/XPPassportLogo.gif
Content-Length: 154

<HTML><HEAD><META HTTP-EQUIV="REFRESH" CONTENT="0; URL=https://login.passport.com/pp25/login2.srf?f=11"><script>function OnBack(){}</script></HEAD></HTML>
```