Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <ibc@aliax.net> Wed, 22 June 2011 10:43 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA3211E80D7 for <hybi@ietfa.amsl.com>; Wed, 22 Jun 2011 03:43:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.663
X-Spam-Level:
X-Spam-Status: No, score=-2.663 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQhT7aXsTEOI for <hybi@ietfa.amsl.com>; Wed, 22 Jun 2011 03:43:04 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAAC11E80EC for <hybi@ietf.org>; Wed, 22 Jun 2011 03:43:04 -0700 (PDT)
Received: by qyk9 with SMTP id 9so3214840qyk.10 for <hybi@ietf.org>; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.90.83 with SMTP id h19mr317540qcm.268.1308739368469; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
Received: by 10.229.181.209 with HTTP; Wed, 22 Jun 2011 03:42:48 -0700 (PDT)
In-Reply-To: <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com>
References: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com> <BANLkTin4mWJgQm+pfyYRs_RhRkdMBfY_Og@mail.gmail.com> <BANLkTiksptqmTWftg7Ur98QQnp22QV7OLA@mail.gmail.com> <BANLkTimw8T4pZieBeCjaPQJ8oYWfbTjkmg@mail.gmail.com> <BANLkTikOzzHF1dGz-2-UwTC0kb2ZQd_0Jw@mail.gmail.com> <BANLkTimCTTCU4UFA7JFuBvDZSFv++UyGCA@mail.gmail.com> <BANLkTinWnTxkCh9BM_utX0=pxzE02DypuA@mail.gmail.com> <BANLkTi=LEOyhagpGZF9gTyLxGuqv5U64wmO_afwaw=eR=pVcPw@mail.gmail.com>
Date: Wed, 22 Jun 2011 12:42:48 +0200
Message-ID: <BANLkTinGb38bLyH20Q-QaP2jeDCfgYvENw@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: ifette@google.com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: hybi@ietf.org, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2011 10:43:05 -0000

2011/6/22 Ian Fette (イアンフェッティ) <ifette@google.com>om>:
>> Ok, but take into account that not all the WS connections would be
>> preceded by an access to a web page. Let's imagine a desktop wigdet
>> (or an Android app!) that directly open a WS connection (without
>> opening first a web page, so the client cannot authenticate via an
>> HTML form in "any custom way"). What to do then? How to prompt the
>> user for credentials? which authentication mechanism to use? So there
>> would be needed:
>
> A desktop widget / android app / ... surely already faces this problem with
> whatever communication mechanism they use, and I would be frankly amazed if
> they expected to solve it with http auth...

So:

- Web developers don't like HTTP authentication in web pages and
prefer authentication at application level. I agree, it's nicer, but
it relies on the fact that HTTP usualy carries a web page (application
data) in which the user can fill a form, submit, and get
authentication and a Cookie for a session.

- This WG does not want to cover authentication mechanism at all for
WebSocket protocol, and instead leave it again at application level.
But here there is no a rendered web page in which the user can fill a
login form. So...

Assuming that any websocket connection would be preceded by a web
access (in which login and a session Cookie has been got) would be a
terrible error IMHO. So, does nobody agree that WS needs a built-in
authentication mechanism? Honestly I cannot understand. Hope I miss
something very important in this topic.


PS: Ian, could I know what you propose on this topic? For now you have
given reasons not to mandate HTTP auth. Could I know how will Google
authenticate WS connections in separate just-WS-servers? maybe
validating the Cookie header (initially retrieved from the web page)
against a centralized storage backend? or maybe you plan to build an
authentication mechanism within the WS carried subprotocol? (just
wondering, I don't want to know Google's internals).

Regards.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>