[hybi] About authentication mechanism
Iñaki Baz Castillo <ibc@aliax.net> Mon, 20 June 2011 12:01 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D8D11E808A for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 05:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Level:
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Sb7ke3aX8nj for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 05:01:38 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2331E11E807A for <hybi@ietf.org>; Mon, 20 Jun 2011 05:01:38 -0700 (PDT)
Received: by qwc23 with SMTP id 23so1289907qwc.31 for <hybi@ietf.org>; Mon, 20 Jun 2011 05:01:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.17.17 with SMTP id q17mr3905071qca.154.1308571296587; Mon, 20 Jun 2011 05:01:36 -0700 (PDT)
Received: by 10.229.181.209 with HTTP; Mon, 20 Jun 2011 05:01:36 -0700 (PDT)
Date: Mon, 20 Jun 2011 14:01:36 +0200
Message-ID: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: hybi@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 12:01:39 -0000
Hi, I would like to start a new thread for this topic as it seems that the draft does not cover it at all (just suggests that an HTTP response code other than 101 should be threated as RFC 2616 states: "1. If the status code received from the server is not 101, the client handles the response per HTTP procedures." (p. 30) The question is: should the browser prompt the human user for user/pass as when a 401 is received in the WS handshake attemp? Imagine this case: - www.domain.org => 1.1.1.1:80 - ws.domain.org => 1.1.1.2:443 - I open http://www.domain.org in my browser, fill some login form and retrieve websocket connection data, including an user and pass (for Digest). - My JavaScript is then provisioned (via JavaScript WebSocket API ????) with ws connection data: server ip, port, Digest user/passwd. - My web browser starts the ws connection with ws.domain.org:443. It receives 401 with Digest (so I need a nonce from the server before using my user/passwd). - JavaScript code automatically accepts the Digest chanllenge, generates a Digest response with the provided user/passwd and the retrieved Digest nonce, and re-send the HTTP GET request (all of this without prompting the user) with the Authorization header. - If the JavaScript code would not be proviosioned with user/pass, then upon receipt of the 401 it should prompt the user (like a JavaScript alert?). So, if all this stuff is not clearly specified (and I think passing user/pass to the JavaScript WebSocket connection API does not exist) then using HTTP Digest (or Basic) will be not useful or feasible, and I expect than using cookies and all that "pure just-web stuff" will be the only way. Please, take into account that a websocket server could run in a separate server, so using cookies mechanism is not so feasible (it could or not depending the case). Neither I think that cookies (a workaround to simulate sessions in HTTP protocol) are the best way to go. IMHO the draft should do much more effort in authentication process. Please don't let the door open to ugly and/or propietary authentication solutions. My proposal is that the JavaScript WebSocket API should include a method to pass authentication 'user' and 'password' (and optionally 'realm' so it would ignore the realm para in the 401 response when using Digest rather than Basic auth). In this way, I could open a webpage, perform usual login (maybe via a HTML form as commonly extended) and then retrieve WS connection data (WS URI), including user/pass/[realm]. So my JavaScript client would open a WS connection with the given destination and in case of receiving a 401 it would re-send the HTTP GET request with the appropriate Authorization header without prompting the user. This wouldn't be the only authentication mechanism, of course, but IMHO it should be documented (and covered by the JS WebSocket API). Regards. -- Iñaki Baz Castillo <ibc@aliax.net>
- [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Greg Wilkins
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism John Tamplin
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism Greg Wilkins
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism John Tamplin
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism John Tamplin
- Re: [hybi] About authentication mechanism Greg Wilkins
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Bob Gezelter
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo
- Re: [hybi] About authentication mechanism Greg Wilkins
- Re: [hybi] About authentication mechanism Ian Fette (イアンフェッティ)
- Re: [hybi] About authentication mechanism Iñaki Baz Castillo