Re: [hybi] WebSocket handshake (HTTP and SSO)

[Scott Ferguson <ferg@caucho.com>]

Hector Santos wrote:
> Scott Ferguson wrote:
>
>> We do need to make one change in the handshake, because the first 
>> client data (the random bytes) is the logical place to put 
>> authentication credentials.
>
> When not just use the a HTTP.Authorization header?

That's not possible with DIGEST with the current handshake. It is 
possible with BASIC, but I'd like to allow/encourage DIGEST or better 
for non-browser clients (it would be invisible to the application 
developer).

The DIGEST operation looks something like (numbers are packets):

  1. client's GET/Upgrade - no authentication information

  2. s_nonce: server challenge (i.e. client needs to wait for a 
round-trip to start.)

  3. client auth: user, H(s_nonce, H(user, password))

In WebSockets, #1 and #2 are HTTP, but #3 is not, it's the packet with 
the random bytes, so you can't just use HTTP header because we're no 
longer in HTTP mode.

There's currently no place to put the Authorization credentials in the 
WebSockets handshake without forcing extra round trips.


>
>> If we just punt and make applications write their own authentication 
>> instead of piggybacking on the handshake, it would cost an extra 
>> round trip.
>
> But you also can't prevent this - when an non-authenticate request 
> comes in.

Nowhere do I suggest that digest or any specific authentication scheme 
become mandatory.  I have no idea what your comment is responding to.

I'm just proposing that when non-browser clients do want to use a 
standard authentication scheme and want save a handshake round trips, 
that we allow that capability, which is currently prevented by the 
current handshake design.

 From the experience of Hessian, there will be non-browser clients who 
would like to piggyback on standard authentication, and not be forced to 
write their own.

-- Scott