Re: [hybi] Supporting OAUTH-like authentication?
Iñaki Baz Castillo <ibc@aliax.net> Fri, 12 August 2011 22:38 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10BBE21F8639 for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 15:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.653
X-Spam-Level:
X-Spam-Status: No, score=-2.653 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQ4ztVLTDCRP for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 15:38:57 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3339221F85AC for <hybi@ietf.org>; Fri, 12 Aug 2011 15:38:57 -0700 (PDT)
Received: by qyk34 with SMTP id 34so29171qyk.10 for <hybi@ietf.org>; Fri, 12 Aug 2011 15:39:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.101.137 with SMTP id c9mr1022345qco.102.1313188773551; Fri, 12 Aug 2011 15:39:33 -0700 (PDT)
Received: by 10.229.234.65 with HTTP; Fri, 12 Aug 2011 15:39:33 -0700 (PDT)
In-Reply-To: <4E320640.2080408@gmail.com>
References: <CAH_y2NHZuYTbpMnrHU65JtZzRE-pbiXnRRh=rOTknTbc_+8gow@mail.gmail.com> <4E320640.2080408@gmail.com>
Date: Sat, 13 Aug 2011 00:39:33 +0200
Message-ID: <CALiegfn9hpX0NtBeybJNV87LXCdwPpte38zi_NS4qXE3dK8H8w@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Philipp Serafin <phil127@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] Supporting OAUTH-like authentication?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 22:38:58 -0000
2011/7/29 Philipp Serafin <phil127@gmail.com>: > Wouldn't it be better to move the token exchange into the actual WS > connection where we have efficient two-way communication available? > > 1.: Client connects to server using subprotocol "foo", which is known to > use OAuth as authentication (or e.g. "foo+oauth", if this should be > decided on per-connection basis) I don't like point 1 (due to same reason given by Greg in next mail). > 2.: Client and server perform successful WS handshake > 3.: Server sends token and authority URL in a WS message. > 4.: Client gets token authorized > 5.: Client sends authorized token back in a WS message. > 6.: Server confirms that authorisation was successful. > 7.: Client and server exchange messages as specified by "foo". Let me propose another approach: 1.: Client connects to server using subprotocol "foo". Client does NOT know which authentication the server requires (neither if the server does require authentication or not). Please don't assume that a specific WS subprotocol always requires the same authentication mechanism. It's the server who must decide it at any time. 2.: Client and server perform successful WS handshake. The server requires (in this case) Digest authentication so the 101 response contains a *standard* header defined in WS core draft: Sec-WebSocket-Authenticate: Digest realm="domain.org", nonce="4e45a9e60000856cac2a6dd2e4edeba1a83e2ceb7137c3d0", qop="auth" 3.: Client supports Digest authentication so it taken the username/passwd from somewhere (WS-API) and starts speaking "auth+digest" WS subprotocol (which should be defined in some RFC). 4.: So client sends a WS message containing the computed Digest credentials. 5.: Server confirms that authorisation was successful in a WS reply. 6.: Client and server exchange messages as specified by subprotocol "foo". Now replace Digest with OAUTH or whatever. Of course, all those authentication mechanism should be standarized by different RFC's to be used in WS. Each one would involve a defined WS subprotocol ("auth+digest", "auth+oauth"). A WS server could reply more than one Sec-WebSocket-Authenticate header (one with "Digest" and another one with "OAUTH") in case it supports both, so the client could choose which one to use. -- Iñaki Baz Castillo <ibc@aliax.net>
- [hybi] Supporting OAUTH-like authentication? Greg Wilkins
- Re: [hybi] Supporting OAUTH-like authentication? Philipp Serafin
- Re: [hybi] Supporting OAUTH-like authentication? Greg Wilkins
- Re: [hybi] Supporting OAUTH-like authentication? Brian
- Re: [hybi] Supporting OAUTH-like authentication? Iñaki Baz Castillo
- Re: [hybi] Supporting OAUTH-like authentication? Iñaki Baz Castillo