IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

Hector Santos <hsantos@isdg.net> Mon, 30 August 2010 17:54 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 765B33A69F6 for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 10:54:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.306
X-Spam-Level:
X-Spam-Status: No, score=-4.306 tagged_above=-999 required=5 tests=[AWL=-1.707, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wlffrYtBu1zX for <hybi@core3.amsl.com>; Mon, 30 Aug 2010 10:54:07 -0700 (PDT)
Received: from mail.winserver.com (ntbbs.winserver.com [208.247.131.9]) by core3.amsl.com (Postfix) with ESMTP id AEE623A69F4 for <hybi@ietf.org>; Mon, 30 Aug 2010 10:54:06 -0700 (PDT)
Received: by winserver.com (Wildcat! SMTP Router v6.3.453.4) for hybi@ietf.org; Mon, 30 Aug 2010 13:54:49 -0400
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v6.3.453.4) with ESMTP id 2808917515; Mon, 30 Aug 2010 13:54:48 -0400
Received: by beta.winserver.com (Wildcat! SMTP Router v6.3.453.2) for hybi@ietf.org; Mon, 30 Aug 2010 13:52:47 -0400
Received: from [192.168.1.101] ([99.3.147.93]) by beta.winserver.com (Wildcat! SMTP v6.3.453.2) with ESMTP id 3397012813; Mon, 30 Aug 2010 13:52:46 -0400
Message-ID: <4C7BF060.7070501@isdg.net>
Date: Mon, 30 Aug 2010 13:54:40 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Scott Ferguson <ferg@caucho.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com> <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com> <4C7BDA8F.4080107@caucho.com>
In-Reply-To: <4C7BDA8F.4080107@caucho.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 17:54:08 -0000

Scott Ferguson wrote:
>> John Tamplin wrote:
>> How many websites actually use HTTP Auth to protect the data?  
> 
> Non-browser clients do. With Hessian (binary RPC over HTTP), HTTP auth 
> is very typical.
> 
> I'd prefer to build in WebSocket support to allow for a piggy-backed 
> DIGEST-style authentication, allowing the server response to send its 
> challenge and replace the clients first random bytes with an 
> authentication/hello frame, which would be the DIGEST credentials.

I can support the idea based on how Tamplin is viewing non-HTTP 
authentication method as the "new pseudo standard" - cookie-based 
authentication methods and how WebSocket is persistent with passing 
browser cookies.

So one may suggest to be also persistent with passing standard 
HTTP.Authorization headers as well.

Another related item is the draft to add cookie based Authentication 
schemes.

http://ltgt.net/projects/http-cookie-auth/draft-broyer-http-cookie-auth-00.html

So perhaps websocket server should begin to pass

      WWW-Authenticate: scheme

headers with the anticipation standard WWW-Authenticate: cookie 
schemes will be available and supported by WebSocket clients.  I 
believe some already using the draft guideline.

Whether the server honors or support the Authorization here generated 
by the  websocket implementation is another matter.  But it might good 
to have it available and see how its employed.

It would definitely change how we currently authenticate secondary 
session channels. But I think its worth an exploration.

> Non-browser clients exist and are important. You can't assume all 
> interactions are from a browser.

+1.

> We do need to make one change in the handshake, because the first client 
> data (the random bytes) is the logical place to put authentication 
> credentials.

When not just use the a HTTP.Authorization header?

> If we just punt and make applications write their own authentication 
> instead of piggybacking on the handshake, it would cost an extra round 
> trip.

But you also can't prevent this - when an non-authenticate request 
comes in.

As I pointed out in a previous point, this was among the #1 issues we 
had in our framework.  It was tricky to get the right flows and it 
included redirection.

The question becomes can a websocket server trigger the websocket 
client to perform an authentication process and how is that done?

Is a 401 with WWW-Authenticate: headers sufficient?  Is a 403 
sufficient to short-circuit the request?  Do we need to redirect the 
websocket client?

etc.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com

v2.23.0 | Report a Bug | By Email